httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <>
Subject Re: Environment Variables
Date Mon, 16 Aug 1999 01:42:01 GMT
Ben Laurie <> wrote:
>One of the things I've noticed lately is a fatal flaw with CGIs, modules
>and environment variables. The problem is that the story is "replace
>your CGIs with modules" but ... other modules set environment variables,
>and typically they do it in the "fixups" hook. Worse, the CGI module
>doesn't do it unless you run a CGI! This means that when you write a
>module, suddenly you don't get the env vars.
>So, I was thinking, there really ought to be a "set env vars" hook, and
>it ought to be called from the standard env var setting funcion
>Thoughts? (this is a 2.0 proposal, natch).

I've also noticed when hacking around that there are currently at
least three and a half places where environment variables are dealt
with (mod_cgi, mod_include, mod_rewrite, suexec), and in different
ways (mod_rewrite doesn't use ap_create_environment but instead has a
rather bizarre lookup_variable function). As a result of this the %{}e
log format specifier is not as useful as it might be -- I had to add
%V rather than use %{SERVER_NAME}e.

So I agree that sanitizing all this stuff is a good idea.

(I count suexec as a half because it has its own knowledge of valid
env vars for security reasons. Should it have knowledge of mod_foo's
variables, and if so how should it find out about them?)

f.a.n.finch    e pluribus unix

View raw message