httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: suexec fixes
Date Mon, 23 Dec 1996 08:40:22 GMT
Randy Terbush wrote:
> 
> > > 3.  CGI command lines paramters problems
> > > 
> > > 	Code in call_exec() was not properly passing arguments in argv[]
> > > 	if you want to pass arguments via '+' separated URL.
> > > 	Taking the hint from Jake Buchholz I have changed create_argv()
> > > 	to accept a variable number of parameters. This is the only
> > > 	change to the server code and is included first in the
> > > 	patch below.
> > 
> > Perhaps I'm being stupid ... I completely fail to see the point of this...
> > 
> > Cheers,
> > 
> > Ben.
> 
> 
> I tend to agree, which is probably why I didn't implement it the first pass.
> Some people apparently pass arguments to their CGI via argv[]. This does
> kind of go against what CGI is all about, but we have apparently supported
> it in the past for non-suexec stuff.

This is not what I mean. You seem to have made create_argv() take a varargs,
then _always_ hand it one arg. Why?

> 
> In reality, it could open up a security hole that I hadn't considered...
> 
> The wrapper should probably refuse to deal with arguments beyond it's
> known argument list.

No. As you say above, parameters are passed on the command line. People use
this behaviour, me included.

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message