httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Apache envirorement variables tainted in cgi?
Date Mon, 14 Oct 2002 01:16:35 GMT
Sander Holthaus - Orange XL wrote:
> Isn't this is certain cases not a bit strange (and dangerous) since Apache
> uses those same variables?

I'm not sure what you mean.  Of course Apache checks before doing 
anything dangerous with client-supplied information.  (Excepting a few 
small security holes that have been discovered over time, including a 
recent one with the Host: request header.)  That doesn't mean that it 
should arbitrarily munge environment variables.  In many cases it is 
only possible to tell what is safe and what is not if you know what you 
are going to do with the information.  Hence there is no way for Apache 
to sanitize all the env-variables for you.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message