httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: Bug?
Date Sun, 28 Jul 1996 21:07:45 GMT
Alexei Kosut wrote:
> On Sun, 28 Jul 1996, Ben Laurie wrote:
> > If I cause a CGI to be run, thus: "http://somewhere/somecgi?%3f", then I would
> > expect argv[1] in the CGI to be "?". Wouldn't you? Anyway, it isn't. It is
> > "\?". I suspect the spurious "security hole" is the culprit. So, do I fix it?
> a) Why would you want to use argv anyhow? Use QUERY_STRING. the argv
>    support is just to make ancient htbin scripts easier to port. But,
>    seeing as how no one uses them anymore (if they do, they aren't using
>    Apache - we took out OldScriptAlias long ago).

Because its easier. argv[1] is shorter than getenv("QUERY_STRING") and a pile
of stuff to parse it. It also means that I can test the CGIs more easily. OK,
so I'm being lazy, but isn't that what software is for?

And since I do use them, it ain't true that noone uses them anymore ;-)

> b) In argv, all shell wildcards are escaped. Otherwise, it could be
>    expanded by the shell, and that's generally a bad thing, security-wise.

I absolutely don't buy this argument. Stuff passed to a shell or any other
program via argv is _not_ expanded (under Unix, at least). If anyone is foolish
enough to use it untreated within a shell script, then yes, it will be
expanded, but that argument applies equally to QUERY_STRING.

> c) If you really want to change the behavior, remove the "?" from line 597
>    of util.c (the escape_shell_cmd() function). But I wouldn't
>    reccomend it.

Well, as you can see, I took out the escape_shell_command() altogether. I
have't committed it (yet).



Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email:
A.L. Digital Ltd,           URL:
London, England.            Apache Group member (

View raw message