Randy Terbush wrote:
>
> > Ben Laurie wrote:
> > >
> > > If I cause a CGI to be run, thus: "http://somewhere/somecgi?%3f", then I would
> > > expect argv[1] in the CGI to be "?". Wouldn't you? Anyway, it isn't. It is
> > > "\?". I suspect the spurious "security hole" is the culprit. So, do I fix it?
> >
> > Stranger still, any string containing an '=' causes argv[1] to be empty! Why?
> >
> > Cheers,
> >
> > Ben (beginning to wonder about his marbles).
>
> My first concern was call_exec(), but after looking over that and mod_cgi,
> I'm relatively certain that the net effect is the same. My tests with
> some perl CGI show that it is working as expected.
>
> Since I generally pull arguments in from QUERY_STRING, I'm not sure
> what I would expect argv[1] to be. I'm guessing "?".
The commented out line below was the "?" culprit. I haven't tracked down the
"=" culprit, yet. Haven't tried, mind you.
char **create_argv(pool *p, char *av0, char *args) {
register int x,n;
char **av;
char *w;
for(x=0,n=2;args[x];x++)
if(args[x] == '+') ++n;
av = (char **)palloc(p, (n+1)*sizeof(char *));
av[0] = av0;
for(x=1;x<n;x++) {
w = getword_nulls(p, &args, '+');
unescape_url(w);
/* av[x] = escape_shell_cmd(p, w);*/
av[x] = w;
}
av[n] = NULL;
return av;
}
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England. Apache Group member (http://www.apache.org)
|