To: new-httpd@apache.org
From: Tony Finch <dot@dotat.at>
Subject: Re: Environment Variables
In-Reply-To: <37B70441.8BA6121C@algroup.co.uk>
Message-Id: <E11GBmj-0002IB-00@fanf.noc.demon.net>
Date: Mon, 16 Aug 1999 02:42:01 +0100
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Ben Laurie <ben@algroup.co.uk> wrote:
>
>One of the things I've noticed lately is a fatal flaw with CGIs, modules
>and environment variables. The problem is that the story is "replace
>your CGIs with modules" but ... other modules set environment variables,
>and typically they do it in the "fixups" hook. Worse, the CGI module
>doesn't do it unless you run a CGI! This means that when you write a
>module, suddenly you don't get the env vars.
>
>So, I was thinking, there really ought to be a "set env vars" hook, and
>it ought to be called from the standard env var setting funcion
>(ap_add_common_vars).
>
>Thoughts? (this is a 2.0 proposal, natch).

I've also noticed when hacking around that there are currently at
least three and a half places where environment variables are dealt
with (mod_cgi, mod_include, mod_rewrite, suexec), and in different
ways (mod_rewrite doesn't use ap_create_environment but instead has a
rather bizarre lookup_variable function). As a result of this the %{}e
log format specifier is not as useful as it might be -- I had to add
%V rather than use %{SERVER_NAME}e.

So I agree that sanitizing all this stuff is a good idea.

(I count suexec as a half because it has its own knowledge of valid
env vars for security reasons. Should it have knowledge of mod_foo's
variables, and if so how should it find out about them?)

Tony.
-- 
f.a.n.finch    dot@dotat.at    fanf@demon.net    e pluribus unix