[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 59886] New: httpoxy: shouldn't suexec block the questonable HTTP_ variables
From:       bugzilla () apache ! org
Date:       2016-07-19 16:00:23
Message-ID: bug-59886-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=59886

            Bug ID: 59886
           Summary: httpoxy: shouldn't suexec block the questonable HTTP_
                    variables
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_suexec
          Assignee: bugs@httpd.apache.org
          Reporter: calestyo@scientia.net

Hey.

In the wake of httpoxy[0] shouldn't suexec also block the problematic HTTP_ env
vars from being passed on?

Right now it seems that anything starting with HTTP_ or SSL_ is passed through
which doesn't seem particularly trustworthy at a first glance.

Cheers,
Chris.


[0] https://httpoxy.org/

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]