www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Pollard <bi...@bears.org>
Subject general/2927: Incorrect logging/possible bug when executing user CGI scripts
Date Sun, 30 Aug 1998 06:19:19 GMT

>Number:         2927
>Category:       general
>Synopsis:       Incorrect logging/possible bug when executing user CGI scripts
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Aug 29 23:20:01 PDT 1998
>Originator:     binky@bears.org
>Release:        1.3.1
Linux instinct.bears.org 2.0.35 #4 Sat Aug 29 14:18:07 EDT 1998 i586 unknown
A CGI script, when in a user directory, but owned by another user and group, will
produce the error "Premature end of script headers:".

Example, user foo maintains script my.cgi for user bar. The file my.cgi is world
executable but is owned by user/group foo:foo. Changing user/group of my.cgi to 
bar:bar fixes this problem.

If you are curious, the script's header is perfectly correct. These scripts and 
their owner settings functioned with earlier versions of Apache. The problem
showed up with the recent upgrade to 1.3.1.

I was tipped off by this problem when I noticed that scripts that weren't 
functioning in user directories did function in the root dir. I can only assume
that rootdir dosen't care about owner when executing.

This occurs in scripts as simple as 'hello world' and more complicated ones. It 
occurs in both C and Perl scripts. Scripts are fully executable under the 
webserver user (nobody) when done via shell.
Take a scrip in a user directory and change it's user and group and try to access it.
Allow world readable files of other users to be viewed. Or, if you wish to deny 
access, change the log error to a more descriptive response. This was a PAIN to
figure out. It may be a reason that you are getting some of these CGI problem 
posted to you.

[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]

View raw message