httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James H. Cloos Jr." <cl...@jhcloos.com>
Subject Re: WWW Form Bug Report: "SetEnv in .htaccess" on HPUX
Date Wed, 03 Jul 1996 07:09:05 GMT
Brian> This seems reasonable enough to me.  Isn't it a simple change
Brian> in the command_rec?

Ben> And the stuff of CERT alerts. This would possibly allow, at
Ben> least, shared library hacks, and perhaps worse stuff. If there
Ben> were a list somewhere else of envs which .htaccess is permitted
Ben> to change it might be OK.

Of course, if they have CGI access they can already set such variables
and call other binaries to make use of alternate shared objects, etc.

But that wouldn't affect the server itself.

So a compromise might be a directive that will set a table of
name/value pairs that get added to the environment whenever an
external process is called, such as CGIs, anything exec'ed by
mod_include, etc.

This would create extra bloat, but it is at least worth it to discuss
it or other solutions.

-JimC
-- 
James H. Cloos, Jr.	<URL:http://www.io.com/~cloos/>
cloos@io.com		LPF,Usenix,SAGE,ISOC,ACLU

Mime
View raw message