www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Reid <br...@customlogic.com>
Subject suexec/9163: SSL environment variables not accessible when using mod_ssl and suExec
Date Mon, 17 Dec 2001 21:09:10 GMT

>Number:         9163
>Category:       suexec
>Synopsis:       SSL environment variables not accessible when using mod_ssl and suExec
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec 17 13:10:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     breid@customlogic.com
>Release:        All
>Organization:
apache
>Environment:
Any
>Description:
I am trying to use suExec for running CGI programs on a server that
is secured using mod_ssl.  The problem that I am running into is that
suExec strips out all of the SSL related environment variables when it
cleans the environment space of the child process.  Since it strips out
the variables, I lose the ability to detect whether my CGI programs are
running through SSL.
>How-To-Repeat:
Setup a secure virtual host with a cgi-bin that uses suexec.  Put a CGI program in
the cgi-bin directory that echos its environment variables.  The HTTPS environment
variable and all the SSL_* variables will not be listed.  If you take away the
suexec usage, all the SSL_ variables will be listed.
>Fix:
The following patch to suexec.c adds the HTTPS variable to the
"safe_env_lst" variable and adds a check in clean_env() to look for and
retain all the variables that start with "SSL_".

diff -urN oldhttpd/support/suexec.c httpd-2_0_28/support/suexec.c
--- oldhttpd/support/suexec.c   Tue Oct 30 09:38:03 2001
+++ httpd-2_0_28/support/suexec.c       Mon Dec 17 10:08:51 2001
@@ -136,6 +136,7 @@
     "DOCUMENT_URI",
     "FILEPATH_INFO",
     "GATEWAY_INTERFACE",
+    "HTTPS",
     "LAST_MODIFIED",
     "PATH_INFO",
     "PATH_TRANSLATED",
@@ -227,7 +228,7 @@
     cidx++;

     for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
-       if (!strncmp(*ep, "HTTP_", 5)) {
+       if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "SSL_",4)) {
            cleanenv[cidx] = *ep;
            cidx++;
        }
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message