httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: SSI vs CGI
Date Sun, 03 Feb 2002 16:09:07 GMT

> From: Zvi Har'El [mailto:rl@math.technion.ac.il]
>
> RedHat uses suexec by default, and this could be the reason. But I don't
> really see why HTTPS=on is less safer then all the SSL_
> variables. For me it is
> a method to decide if my script should redirect to HTTP or HTTPS
> URL's, and
> there is no security breach in giving this script this piece of
> information,
> even thogh the script is run with suid set.

There is no problem with the particular variable "HTTPS".  The problem is
with letting any arbitrary variable through, because suexec has no way to
know for sure that the variable isn't dangerous.  There is no problem with
editting suexec.c to add your variables to the safe list.

Joshua.


Mime
View raw message