Return-Path: 
 <dev-return-25795-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 82446 invoked by uid 500); 3 Feb 2002 17:23:11 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 82433 invoked from network); 3 Feb 2002 17:23:11 -0000
Date: Sun, 3 Feb 2002 19:23:05 +0200 (IST)
From: "Zvi Har'El" <rl@math.technion.ac.il>
To: <dev@httpd.apache.org>
Subject: Re: [PATCH] SSL_* in suexec safe env list
In-Reply-To: <ELEDJONBOPPAEGANDEEIAECFCBAA.joshua@slive.ca>
Message-ID: 
 <Pine.GSO.4.33.0202031913140.15428-100000@leeor.math.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Hi,

I agree with Joshua completely that the conditioning on mod_ssl is not
necessary. However, comparing with the apache 1.3 version of suexec.c, and the
fact that in 2.0 ssl_engine_kernel.c (line 1035) still sets the SSI/CGI
environment variable HTTPS=on , I would recommand to have a triple rather then
double strncmp:

-        if (!strncmp(*ep, "HTTP_", 5)) {
+        if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "HTTPS", 5) ||
+			!strncmp(*ep, "SSL_", 4)) {


On Sat, 2 Feb 2002, Joshua Slive wrote:

> I think this is the "right thing", but I won't commit it myself without a
> couple "+1"s, because I don't trust myself mucking with suexec.  Someone
> suggested making this conditional on mod_ssl being included in the build,
> but I don't see the point.  There doesn't seem to be any danger in allowing
> SSL_ to pass in all cases.
>
> Index: suexec.c
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/support/suexec.c,v
> retrieving revision 1.17
> diff -u -d -b -r1.17 suexec.c
> --- suexec.c    22 Nov 2001 07:42:13 -0000      1.17
> +++ suexec.c    2 Feb 2002 22:40:14 -0000
> @@ -227,7 +227,7 @@
>      cidx++;
>
>      for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
> -        if (!strncmp(*ep, "HTTP_", 5)) {
> +        if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "SSL_", 4)) {
>              cleanenv[cidx] = *ep;
>              cidx++;
>          }
>

-- 
Dr. Zvi Har'El     mailto:rl@math.technion.ac.il     Department of Mathematics
tel:+972-54-227607                   Technion - Israel Institute of Technology
fax:+972-4-8324654 http://www.math.technion.ac.il/~rl/     Haifa 32000, ISRAEL
"If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942)
                             Sunday, 22 Shevat 5762,  3 February 2002,  7:13PM