Re: apache-ssl's suexec

To: Christoph Martin <martin@uni-mainz.de>
Cc: Matthew Wilcox <willy@debian.org>, christoph.martin@uni-mainz.de, debian-apache@lists.debian.org
Subject: Re: apache-ssl's suexec
From: Matthew Wilcox <willy@debian.org>
Date: Fri, 11 Jan 2002 16:51:35 +0000
Message-id: <[🔎] 20020111165135.G26644@parcelfarce.linux.theplanet.co.uk>
In-reply-to: <[🔎] 15423.4554.576973.147959@arthur.zdv.Uni-Mainz.DE>; from martin@uni-mainz.de on Fri, Jan 11, 2002 at 05:24:42PM +0100
References: <[🔎] 20020111044047.A26644@parcelfarce.linux.theplanet.co.uk> <[🔎] 15423.4554.576973.147959@arthur.zdv.Uni-Mainz.DE>

On Fri, Jan 11, 2002 at 05:24:42PM +0100, Christoph Martin wrote:
> The ssl patch for suexec is the following:
> 
> --- ../apache_1.3.19/src/support/suexec.c	Mon Jan 15 17:06:40 2001
> +++ ./src/support/suexec.c	Fri Mar 23 14:17:51 2001
> @@ -228,7 +228,8 @@
>      cidx++;
>  
>      for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
> -	if (!strncmp(*ep, "HTTP_", 5)) {
> +	if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep,"HTTPS",5)
> +	    || !strncmp(*ep,"SSL_",4)) {
>  	    cleanenv[cidx] = *ep;
>  	    cidx++;
>  	}
> 
> I think that is all.

hmm.  I don't think that does what it's expected to do.  It permits _any_
env var beginng with "HTTPS", when I think what was meant was to allow
the exact string "HTTPS".  Otherwise they should be allowing variables
beginning with "HTTPS_".

-- 
Revolutions do not require corporate support.

Reply to:

References:
- apache-ssl's suexec
  - From: Matthew Wilcox <willy@debian.org>
- Re: apache-ssl's suexec
  - From: Christoph Martin <martin@uni-mainz.de>

Prev by Date: Re: apache-ssl's suexec
Next by Date: apacheconfig patch review requested
Previous by thread: Re: apache-ssl's suexec
Next by thread: apacheconfig patch review requested
Index(es):
- Date
- Thread