httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: Bug?
Date Sun, 28 Jul 1996 21:40:27 GMT
On Sun, 28 Jul 1996, Ben Laurie wrote:

> If I cause a CGI to be run, thus: "http://somewhere/somecgi?%3f", then I would
> expect argv[1] in the CGI to be "?". Wouldn't you? Anyway, it isn't. It is
> "\?". I suspect the spurious "security hole" is the culprit. So, do I fix it?

a) Why would you want to use argv anyhow? Use QUERY_STRING. the argv
   support is just to make ancient htbin scripts easier to port. But,
   seeing as how no one uses them anymore (if they do, they aren't using
   Apache - we took out OldScriptAlias long ago).

b) In argv, all shell wildcards are escaped. Otherwise, it could be
   expanded by the shell, and that's generally a bad thing, security-wise.

c) If you really want to change the behavior, remove the "?" from line 597
   of util.c (the escape_shell_cmd() function). But I wouldn't
   reccomend it.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/


Mime
View raw message