Return-Path: 
 <users-return-15449-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 42921 invoked by uid 500); 13 Oct 2002 19:12:29 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 42909 invoked from network); 13 Oct 2002 19:12:28 -0000
Received: from orangexl.cust.2ndreality.nl (HELO mail.orangexl.nl)
 (213.239.135.95)
  by daedalus.apache.org with SMTP; 13 Oct 2002 19:12:28 -0000
Received: (qmail 37372 invoked by uid 89); 13 Oct 2002 19:13:36 -0000
Received: from cp262152-a.roose1.nb.home.nl (HELO CP262152A) (217.122.6.250)
  by orangexl.cust.2ndreality.nl with SMTP; 13 Oct 2002 19:13:36 -0000
Message-ID: <006201c272ee$768d2660$fa067ad9@CP262152A>
From: "Sander Holthaus - Orange XL" <info@orangexl.com>
To: <users@httpd.apache.org>
Date: Sun, 13 Oct 2002 21:26:17 +0200
Organization: Orange XL
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: [users@httpd] Apache envirorement variables tainted in cgi?

Can any tell me if envirorement variables in Apache can be tainted? I have a
cgi-script that outputs certain data such as the accepted languages in an
email. One of those emails contained the following:

en x-ns$ixDukAVn x-nsrwwDADKILc.

The following regexp was let loose on $ENV{'HTTP_ACCEPT_LANGUAGE'} before it
got pasted in the email.

$ENV{'HTTP_ACCEPT_LANGUAGE'} =~ s/[\d\;\=\.q]*//g;
$ENV{'HTTP_ACCEPT_LANGUAGE'} =~ s/([,])|(.* .*)/ /g;

Does apache check information in HTTP-headers before pasing them as
ENV-variables?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org