httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Holthaus - Orange XL" <i...@orangexl.com>
Subject Re: [users@httpd] Apache envirorement variables tainted in cgi?
Date Sun, 13 Oct 2002 19:51:19 GMT
Isn't this is certain cases not a bit strange (and dangerous) since Apache
uses those same variables?

----- Original Message -----
From: "Joshua Slive" <joshua@slive.ca>
To: <users@httpd.apache.org>
Sent: Sunday, October 13, 2002 9:29 PM
Subject: Re: [users@httpd] Apache envirorement variables tainted in cgi?


> Sander Holthaus - Orange XL wrote:
> > Does apache check information in HTTP-headers before pasing them as
> > ENV-variables?
>
> No.  If you use env-variables in dangerous ways (including showing them
> to clients), you MUST encode them yourself to prevent security problems.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message