httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <...@dotat.at>
Subject Re: Environment Variables
Date Mon, 16 Aug 1999 01:42:01 GMT
Ben Laurie <ben@algroup.co.uk> wrote:
>
>One of the things I've noticed lately is a fatal flaw with CGIs, modules
>and environment variables. The problem is that the story is "replace
>your CGIs with modules" but ... other modules set environment variables,
>and typically they do it in the "fixups" hook. Worse, the CGI module
>doesn't do it unless you run a CGI! This means that when you write a
>module, suddenly you don't get the env vars.
>
>So, I was thinking, there really ought to be a "set env vars" hook, and
>it ought to be called from the standard env var setting funcion
>(ap_add_common_vars).
>
>Thoughts? (this is a 2.0 proposal, natch).

I've also noticed when hacking around that there are currently at
least three and a half places where environment variables are dealt
with (mod_cgi, mod_include, mod_rewrite, suexec), and in different
ways (mod_rewrite doesn't use ap_create_environment but instead has a
rather bizarre lookup_variable function). As a result of this the %{}e
log format specifier is not as useful as it might be -- I had to add
%V rather than use %{SERVER_NAME}e.

So I agree that sanitizing all this stuff is a good idea.

(I count suexec as a half because it has its own knowledge of valid
env vars for security reasons. Should it have knowledge of mod_foo's
variables, and if so how should it find out about them?)

Tony.
-- 
f.a.n.finch    dot@dotat.at    fanf@demon.net    e pluribus unix

Mime
View raw message