httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Apache envirorement variables tainted in cgi?
Date Sun, 13 Oct 2002 19:29:21 GMT
Sander Holthaus - Orange XL wrote:
> Does apache check information in HTTP-headers before pasing them as
> ENV-variables?

No.  If you use env-variables in dangerous ways (including showing them 
to clients), you MUST encode them yourself to prevent security problems.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message