httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: svn commit: r1554300 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/ap_regex.h include/http_core.h modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h server/core.c server/request.c server/util_pcre.c
Date Wed, 01 Jan 2014 12:06:17 GMT
On 01 Jan 2014, at 1:59 PM, Stefan Fritsch <> wrote:

> I definitely like this idea. While I haven't done a full review of the 
> patch, I have a few questions:
> Aren't the apr_table keys case insensitive anyway? Why do we need the 
> case conversion of the key names?

All the variables in subprocess_env are all uppecased, before I added the uppercasing the
variables were the only ones lowercased when they were listed and it looked wrong.

> Maybe making ap_regname() accept an optional prefix string that is 
> prepended to each name would be a good idea?
> Maybe the use in <LocationMatch> and friends should add some prefix to 
> the names? Like "m_" or "match_" or "m:"? This would make it more 
> difficult to shoot oneself in the foot by allowing a remote attacker 
> to set env variables that have some special meanings elsewhere in 
> httpd (or in an executed cgi script). And/or maybe these values should 
> be filtered out again when exporting them to cgi env variables?

I wondered about this, on one hand it is nice to be able to set any variable, but on the other
hand there is a lot of safety in preventing someone from being able to shadow an existing
variable. I had "MATCH_FOO" in mind originally.


View raw message