Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
suExec, mod_ssl, and CGI Environment variables.
breid at customlogic
Dec 17, 2001, 10:46 AM
Post #1 of 2 (1040 views)
Permalink
Hello,

I am trying to use suExec for running CGI programs on a server that
is secured using mod_ssl. The problem that I am running into is that
suExec strips out all of the SSL related environment variables when it
cleans the environment space of the child process. Since it strips out
the variables, I lose the ability to detect whether my CGI programs are
running through SSL. Is there any harm in not stripping out the SSL
environment variables? Are there any plans to modify suExec to pass
these variables through or at least pass the HTTPS variable through?

It seems that it would be easy, in suexec.c to add the HTTPS variable
to the "safe_env_lst" variable and add a check in clean_env() to look
for and retain all the variables that start with "SSL_".

Thanks,
Brian
____________________________________________________________
Brian Reid mailto:breid@customlogic.com
US CustomLogic LLC http://www.customlogic.com/
11292 Coloma Road, Suite C voice: +1 916 853-4920
Gold River, CALIFORNIA 95670 fax: +1 916 853-4924
Networking and Custom Programming Linux Server Support
____________________________________________________________


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: suExec, mod_ssl, and CGI Environment variables. [ In reply to ]
joshua at slive
Dec 17, 2001, 10:55 AM
Post #2 of 2 (1018 views)
Permalink
> From: Brian G. Reid [mailto:breid@customlogic.com]

> I am trying to use suExec for running CGI programs on a server that
> is secured using mod_ssl. The problem that I am running into is that
> suExec strips out all of the SSL related environment variables when it
> cleans the environment space of the child process. Since it strips out
> the variables, I lose the ability to detect whether my CGI programs are
> running through SSL. Is there any harm in not stripping out the SSL
> environment variables? Are there any plans to modify suExec to pass
> these variables through or at least pass the HTTPS variable through?
>
> It seems that it would be easy, in suexec.c to add the HTTPS variable
> to the "safe_env_lst" variable and add a check in clean_env() to look
> for and retain all the variables that start with "SSL_".

There is no harm in changing suexec to pass specific env variables. The
idea of clean_env is to prevent an attacker from poluting important system
variabes. If you submit a patch to the bug database, it may be accepted.
(For 2.0, of course. Apache 1.3 has no hooks for SSL on its own.)

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal