httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: Bug?
Date Sun, 28 Jul 1996 21:00:04 GMT
Randy Terbush wrote:
> 
> > Ben Laurie wrote:
> > > 
> > > If I cause a CGI to be run, thus: "http://somewhere/somecgi?%3f", then I would
> > > expect argv[1] in the CGI to be "?". Wouldn't you? Anyway, it isn't. It is
> > > "\?". I suspect the spurious "security hole" is the culprit. So, do I fix it?
> > 
> > Stranger still, any string containing an '=' causes argv[1] to be empty! Why?
> > 
> > Cheers,
> > 
> > Ben (beginning to wonder about his marbles).
> 
> My first concern was call_exec(), but after looking over that and mod_cgi,
> I'm relatively certain that the net effect is the same. My tests with
> some perl CGI show that it is working as expected. 
> 
> Since I generally pull arguments in from QUERY_STRING, I'm not sure
> what I would expect argv[1] to be. I'm guessing "?".

The commented out line below was the "?" culprit. I haven't tracked down the
"=" culprit, yet. Haven't tried, mind you.

char **create_argv(pool *p, char *av0, char *args) {
    register int x,n;
    char **av;
    char *w;

    for(x=0,n=2;args[x];x++)
        if(args[x] == '+') ++n;

    av = (char **)palloc(p, (n+1)*sizeof(char *));
    av[0] = av0;

    for(x=1;x<n;x++) {
        w = getword_nulls(p, &args, '+');
        unescape_url(w);
	/*        av[x] = escape_shell_cmd(p, w);*/
        av[x] = w;
    }
    av[n] = NULL;
    return av;
}

Cheers,

Ben.

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)

Mime
View raw message