httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: suexec fixes
Date Sun, 22 Dec 1996 22:54:24 GMT
> > 3.  CGI command lines paramters problems
> > 
> > 	Code in call_exec() was not properly passing arguments in argv[]
> > 	if you want to pass arguments via '+' separated URL.
> > 	Taking the hint from Jake Buchholz I have changed create_argv()
> > 	to accept a variable number of parameters. This is the only
> > 	change to the server code and is included first in the
> > 	patch below.
> 
> Perhaps I'm being stupid ... I completely fail to see the point of this...
> 
> Cheers,
> 
> Ben.


I tend to agree, which is probably why I didn't implement it the first pass.
Some people apparently pass arguments to their CGI via argv[]. This does
kind of go against what CGI is all about, but we have apparently supported
it in the past for non-suexec stuff.

In reality, it could open up a security hole that I hadn't considered...

The wrapper should probably refuse to deal with arguments beyond it's
known argument list.





Mime
View raw message