You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/12/06 17:55:18 UTC

[Bug 60448] New: mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers

https://bz.apache.org/bugzilla/show_bug.cgi?id=60448

            Bug ID: 60448
           Summary: mod_fcgid leaks out Variable- prefixed
                    FcgidAuthenticator response headers
           Product: Apache httpd-2
           Version: 2.4.6
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_fcgid
          Assignee: bugs@httpd.apache.org
          Reporter: ujvari@microsec.hu
  Target Milestone: ---

mod_fcgid passes "Variable-" prefixed headers, which were received from a
FcgidAuthenticator process, to the responder subprocess as environment
variable. These headers should not be sent back to the user, since these are
just internal data, but mod_fcgid let them through.

mod_fcgid seems to collect response headers in a r->err_headers_out field,
including "Variable-" prefixed ones, then mod_fcgid_modify_auth_header function
(called by an apr_table_do iterator) stores them in the subprocess environment
array. When mod_fcgid_modify_auth_header finds a "Variable-" prefixed header it
should remove it from the r->err_headers_out field I presume.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60448] mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60448

--- Comment #1 from Aron Ujvari <uj...@microsec.hu> ---
mod_fcgid 2.3.9 was tested and leaked out these headers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org