httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject RE: suExec, mod_ssl, and CGI Environment variables.
Date Mon, 17 Dec 2001 17:55:08 GMT


> From: Brian G. Reid [mailto:breid@customlogic.com]

> I am trying to use suExec for running CGI programs on a server that
> is secured using mod_ssl.  The problem that I am running into is that
> suExec strips out all of the SSL related environment variables when it
> cleans the environment space of the child process.  Since it strips out
> the variables, I lose the ability to detect whether my CGI programs are
> running through SSL.  Is there any harm in not stripping out the SSL
> environment variables?  Are there any plans to modify suExec to pass
> these variables through or at least pass the HTTPS variable through?
>
> It seems that it would be easy, in suexec.c to add the HTTPS variable
> to the "safe_env_lst" variable and add a check in clean_env() to look
> for and retain all the variables that start with "SSL_".

There is no harm in changing suexec to pass specific env variables.  The
idea of clean_env is to prevent an attacker from poluting important system
variabes.  If you submit a patch to the bug database, it may be accepted.
(For 2.0, of course.  Apache 1.3 has no hooks for SSL on its own.)

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message