httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo>
Subject Re: [PATCH] Query string parsing for mod_include.c
Date Tue, 09 Sep 2003 07:17:53 GMT wrote:

>Attached is a patch that impliments a new directive in mod_include.c,
>#parseqs, which parses the name=value pairs on the query string and places
>the results in the subprocess environment table, allowing you to do highly
>neat things with SSI scripts. I found this feature to be quite useful.
>1. A potential security problem is that a malicious person may be able to
>use it to override important environment variables on a page where he
>knows #parseqs is in use. We might want to disallow all-CAPS variables
>from being modified in this fashion.
>2. There is no support for query string variables with multiple values.
In general this is really a desired feature. Thanks!
There are some issues, anyway ;-)

- one should recognize ; as delimiter as well (ok, trivial)

- to circumvent the security flaw, I'd suggest to extend the #set handler
  instead, for example:
    <!--#set var="foo" query="param_name" -->, which would be really safe.
  I'm not sure, whether the query parameter should be expanded. Opinions?

- The second one could be solved with things like
  <!#--set var="foo" query="param_name[i]" -->, where i starts with 0 or 
1 (?).

- what about unescaping the values?

There's still another point. I'd add this to the 2.1 branch only, 
because (a) we're going forward *there*, (b) mod_include was redesigned 
to give a way better interface and (c) we should not play with our (not 
really, but ...) stable branch.

>Please go easy on me. :) I haven't submitted anything to Apache before,
>but I found this hack to be quite useful. I look forward to your comments.
Please attach patches as text/plain.

Thanks, nd

View raw message