Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 50991 invoked by uid 500); 13 Oct 2002 19:29:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 50980 invoked from network); 13 Oct 2002 19:29:54 -0000 Received: from tomts5.bellnexxia.net (HELO tomts5-srv.bellnexxia.net) (209.226.175.25) by daedalus.apache.org with SMTP; 13 Oct 2002 19:29:54 -0000 Received: from slive.ca ([65.94.5.49]) by tomts5-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20021013192926.GYPC28906.tomts5-srv.bellnexxia.net@slive.ca> for ; Sun, 13 Oct 2002 15:29:26 -0400 Message-ID: <3DA9C991.90304@slive.ca> Date: Sun, 13 Oct 2002 15:29:21 -0400 From: Joshua Slive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: users@httpd.apache.org References: <006201c272ee$768d2660$fa067ad9@CP262152A> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Apache envirorement variables tainted in cgi? Sander Holthaus - Orange XL wrote: > Does apache check information in HTTP-headers before pasing them as > ENV-variables? No. If you use env-variables in dangerous ways (including showing them to clients), you MUST encode them yourself to prevent security problems. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org