httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Holthaus - Orange XL" <i...@orangexl.com>
Subject [users@httpd] Apache envirorement variables tainted in cgi?
Date Sun, 13 Oct 2002 19:26:17 GMT
Can any tell me if envirorement variables in Apache can be tainted? I have a
cgi-script that outputs certain data such as the accepted languages in an
email. One of those emails contained the following:

en x-ns$ixDukAVn x-nsrwwDADKILc.

The following regexp was let loose on $ENV{'HTTP_ACCEPT_LANGUAGE'} before it
got pasted in the email.

$ENV{'HTTP_ACCEPT_LANGUAGE'} =~ s/[\d\;\=\.q]*//g;
$ENV{'HTTP_ACCEPT_LANGUAGE'} =~ s/([,])|(.* .*)/ /g;

Does apache check information in HTTP-headers before pasing them as
ENV-variables?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message