httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hiten pandya <hpan...@lycos.co.uk>
Subject regarding mod_env.c (PR#370)
Date Thu, 01 Jan 1970 00:00:00 GMT
hi all,

(/modules/metadata/mod_env.c)
i found the PR#370 for solving ...

regarding the $PATH variable, jus' wondering, are all the 
environment variables coming right out of the shell the user is 
logged on through, i got this wild bit of code in the file:

 name = ap_getword_conf(cmd->pool, &arg);
 value = ap_getword_conf(cmd->pool, &arg);

this could possibly lead to a security risk.. dont you guys think?

i think we should provide a function which can modify the 
value of the $PATH and other major environment variables 
through the httpd.conf file, which should possible 99.9% 
remove the insecurity.

thanks
greetings

Hiten Pandya
hpandya@lycos.co.uk

Reply-To:
hpandya@lycos.co.uk
______________________________________________________
Free E-mail - Lycos UK - http://www.lycos.co.uk
Get your domain for £9.90 - http://lycos.uk.domainnames.com/default.asp?caller=lycos_ef
Play now to win £1 Million - http://www.thedailydraw.com/mainframe.cfm?source=lycos



Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message