www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "P. Alejandro Lopez-Valencia" <alej...@sue.ideam.gov.co>
Subject Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used
Date Sat, 12 Apr 1997 14:50:00 GMT
The following reply was made to PR mod_env/370; it has been noted by GNATS.

From: "P. Alejandro Lopez-Valencia" <alejolo@sue.ideam.gov.co>
To: Marc Slemko <marcs@znep.com>
Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's
is used
Date: Sat, 12 Apr 1997 09:44:56 -0700 (PDT)

 
 On Sat, 12 Apr 1997, Marc Slemko wrote:
 
 > On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote:
 > 
 > > The use of a modified environemt PATH is not reflected in the
 > > actual $PATH passed to the CGI. It may constitute a security hole
 > > as the $PATH used is that of the owner of the parent process (root).
 > 
 > What do you mean "modified path"?  Who is modifying it?  The path should
 > be that in effect when the server was started, or some default path if
 > there was none.  Generally root's path is reasonably restrictive; if you
 > wish to modify it you should be able to use SetEnv or change the path
 > before you start httpd.
 > 
 
 That is my problem.. I unset the path with UnSetEnv and redefine
 it with SetEnv, but the $PATH inherited by the server from root (I am
 using /bin/sh5 as its shell) is the one passed to the CGI environment.
 
  --
 P. Alejandro Lopez-Valencia                          Ecologist
 Associate
 International Center for Tropical Ecology at UM-St. Louis
                                       palopez@ecology.umsl.edu
                                       alejolo@ideam.gov.co
                              http://ecology.umsl.edu/~palopez/
 ********          Most beatiful just before.          ********
 

Mime
View raw message