httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: [PATCH] SSL_* in suexec safe env list
Date Sun, 03 Feb 2002 17:37:58 GMT

> From: Zvi Har'El [mailto:rl@math.technion.ac.il]

> I agree with Joshua completely that the conditioning on mod_ssl is not
> necessary. However, comparing with the apache 1.3 version of
> suexec.c, and the
> fact that in 2.0 ssl_engine_kernel.c (line 1035) still sets the SSI/CGI
> environment variable HTTPS=on , I would recommand to have a
> triple rather then
> double strncmp:
>
> -        if (!strncmp(*ep, "HTTP_", 5)) {
> +        if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "HTTPS", 5) ||
> +			!strncmp(*ep, "SSL_", 4)) {

I'm not sure why Ralf did it that way.  It seems that HTTPS should simply be
added to the safe list near the top of the file.  The revised patch is
below.

As I said, I'm not going to commit without two "+1"s.


Index: suexec.c
===================================================================
RCS file: /home/cvs/httpd-2.0/support/suexec.c,v
retrieving revision 1.17
diff -u -d -b -r1.17 suexec.c
--- suexec.c    22 Nov 2001 07:42:13 -0000      1.17
+++ suexec.c    3 Feb 2002 17:30:13 -0000
@@ -136,6 +136,7 @@
     "DOCUMENT_URI",
     "FILEPATH_INFO",
     "GATEWAY_INTERFACE",
+    "HTTPS",
     "LAST_MODIFIED",
     "PATH_INFO",
     "PATH_TRANSLATED",
@@ -227,7 +228,7 @@
     cidx++;

     for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
-        if (!strncmp(*ep, "HTTP_", 5)) {
+        if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "SSL_", 4)) {
             cleanenv[cidx] = *ep;
             cidx++;
         }


Mime
View raw message