httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zvi Har'El" ...@math.technion.ac.il>
Subject RE: SSI vs CGI
Date Sun, 03 Feb 2002 07:01:34 GMT
On Sat, 2 Feb 2002, Joshua Slive wrote:

>
> > From: Zvi Har'El [mailto:rl@math.technion.ac.il]
>
> > Friends,
> >
> > I compared the environment variables I get in an SSI, like
> > <!--#printenv-->,
> > and a CGI, running a script like
> >
> > #!/usr/local/bin/zsh -x
> > echo "Content-type: text/plain"
> > echo
> > printenv
>
> [missing env variables in cgi]
>
> Are you using suexec? (httpd -l will tell you)
>
> If so, you should be awary that suexec cleans the environment down to a
> "safe" list of environment variables.  Apache 2 should probably include the
> SSL_* variables in that safe list, but it doesn't at the moment.
>
> Joshua.
>

RedHat uses suexec by default, and this could be the reason. But I don't
really see why HTTPS=on is less safer then all the SSL_ variables. For me it is
a method to decide if my script should redirect to HTTP or HTTPS URL's, and
there is no security breach in giving this script this piece of information,
even thogh the script is run with suid set.

-- 
Dr. Zvi Har'El     mailto:rl@math.technion.ac.il     Department of Mathematics
tel:+972-54-227607                   Technion - Israel Institute of Technology
fax:+972-4-8324654 http://www.math.technion.ac.il/~rl/     Haifa 32000, ISRAEL
"If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942)
                             Sunday, 21 Shevat 5762,  3 February 2002,  8:54AM


Mime
View raw message