httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <>
Subject Re: Thoughts on compiled Modules and httpd environment
Date Sun, 05 Apr 1998 21:37:14 GMT
Yeah this is a concern.  But unless php allows arbitrary env variables to
be modified I wouldn't worry about it.  If it does... well then that's a
security bug caused by mod_php.  Modify PATH, do your damage. 


On Fri, 3 Apr 1998, Jim Jagielski wrote:

> There is currently some discussion on the PHP3 list about it's use
> of PutEnv/putenv to add/change environment variables... Since PHP3
> is internal to the httpd process, this has the net effect of changing
> the actual httpd process' environment. Now when we call call_exec,
> we take care to clean out the environment with create_environment
> (we do this for mod_include and mod_cgi), but in other places we
> simply execl (true, most of those look like they are the parent
> process and not the child process) so it's _possible_ that an
> altered environment will find it's way outside... This concerns
> me, but I'm not sure if it's in the least bit justified... Just
> the idea of a httpd process' environment being changed at will...
> Anyway, is PHP3 alone in this capability? Does mod_perl or other
> embedded modules allow for environ to be altered? If so, _is_
> it a concern?
> -- 
> ===========================================================================
>    Jim Jagielski   |||   |||
>             "That's no ordinary rabbit... that's the most foul,
>             cruel and bad-tempered rodent you ever laid eyes on"

View raw message