httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zvi Har'El" ...@math.technion.ac.il>
Subject RE: SSI vs CGI
Date Sun, 03 Feb 2002 17:08:06 GMT
On Sun, 3 Feb 2002, Joshua Slive wrote:

>
> > From: Zvi Har'El [mailto:rl@math.technion.ac.il]
> >
> > RedHat uses suexec by default, and this could be the reason. But I don't
> > really see why HTTPS=on is less safer then all the SSL_
> > variables. For me it is
> > a method to decide if my script should redirect to HTTP or HTTPS
> > URL's, and
> > there is no security breach in giving this script this piece of
> > information,
> > even thogh the script is run with suid set.
>
> There is no problem with the particular variable "HTTPS".  The problem is
> with letting any arbitrary variable through, because suexec has no way to
> know for sure that the variable isn't dangerous.  There is no problem with
> editting suexec.c to add your variables to the safe list.
>
> Joshua.
>
I looked at the sources of apache-1.3.23/src/support/suexec.c:

    for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
#ifdef MOD_SSL
        if (!strncmp(*ep, "HTTP_", 5) ||
            !strncmp(*ep, "HTTPS", 5) ||
            !strncmp(*ep, "SSL_", 4)) {
#else
        if (!strncmp(*ep, "HTTP_", 5)) {
#endif
            cleanenv[cidx] = *ep;
            cidx++;
        }

This means this is exactly what I need.  This is also OK for 1.3.22. However,
you need to compile suexec explicitly for MOD_SSL. So, there is no problem in
apache, only in redhat distribution: /usr/sbin/suexec comes with the apache
package, (currently apache-1.3.22-2), and it is not compiled with the MOD_SSL
flag, and the mod_ssl package (currently mod_ssl-2.8.5-1) is an add-on which
doesn't have its own /usr/sbin/suexec! I'll send a bug report to redhat. But,
To say the truth, I don't see why this compilation flag is needed at all.
Following the warning "DO NOT edit this code!!!  Unless you know what you are
doing" I wouldn't change it myself, but can you see a reason why we cannot
always keep the HTTPS and SSL_ environment variables? Is this unsafe?

-- 
Dr. Zvi Har'El     mailto:rl@math.technion.ac.il     Department of Mathematics
tel:+972-54-227607                   Technion - Israel Institute of Technology
fax:+972-4-8324654 http://www.math.technion.ac.il/~rl/     Haifa 32000, ISRAEL
"If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942)
                             Sunday, 22 Shevat 5762,  3 February 2002,  6:54PM


Mime
View raw message