You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by dg...@hyperreal.com on 1997/04/27 23:15:45 UTC
Changed information for PR suexec/479
Synopsis: mod_cgi passing foobared username argument to suEXEC
State-Changed-From-To: open-feedback
State-Changed-By: dgaudet
State-Changed-When: Sun Apr 27 14:15:44 PDT 1997
State-Changed-Why:
I'd wager this too was fixed by 1.2b9... which is in the usual
places. Could you tell us if it does fix the problem?
Thanks
Dean
Re: Changed information for PR suexec/479
Posted by Marc Slemko <ma...@znep.com>.
Damn. Check out argv. You will find several thousand copies of whatever
argument you pass. Oops. Will look at the cause...
On Sun, 27 Apr 1997, Mark A. Bentley wrote:
>
> Hmmm, interesting... suEXEC isn't logging an error now, instead
> the server is returning this error:
>
> 500 Internal Server Error
>
> And my error log says "premature end of script headers".
>
> It seems the only time this bug shows itself is when the
> query string doesn't consist of name=value, but rather
> just a name, like this:
>
> http://www.cs.umn.edu/~amundson/haha.cgi?test
>
> If I say ...
>
> /haha.cgi?test= I don't get that error.
> /haha.cgi?test=something I don't get that error either.
>
> I'm not sure what the spec says about the query string, but I
> think it is legal to pass a string that isn't a name/value pair,
> right?
>
> Well, I hope this helps. By the way, you guys are doing a great job!
>
> --Mark
>
> On Sun, 27 Apr 1997 dgaudet@hyperreal.com wrote:
>
> > Synopsis: mod_cgi passing foobared username argument to suEXEC
> >
> > State-Changed-From-To: open-feedback
> > State-Changed-By: dgaudet
> > State-Changed-When: Sun Apr 27 14:15:44 PDT 1997
> > State-Changed-Why:
> > I'd wager this too was fixed by 1.2b9... which is in the usual
> > places. Could you tell us if it does fix the problem?
> >
> > Thanks
> > Dean
> >
>
>
> --
> Mark A Bentley Email: bentlema@cs.umn.edu
> Systems Staff, CSci Dept
> University of Minnesota URL: http://www.cs.umn.edu/~bentlema/
>
Re: Changed information for PR suexec/479
Posted by Dean Gaudet <dg...@arctic.org>.
There are definately special cases for = in the code... but I'm not going
to pretend to know why they're there. Anyone else?
Dean
On Sun, 27 Apr 1997, Mark A. Bentley wrote:
>
> Hmmm, interesting... suEXEC isn't logging an error now, instead
> the server is returning this error:
>
> 500 Internal Server Error
>
> And my error log says "premature end of script headers".
>
> It seems the only time this bug shows itself is when the
> query string doesn't consist of name=value, but rather
> just a name, like this:
>
> http://www.cs.umn.edu/~amundson/haha.cgi?test
>
> If I say ...
>
> /haha.cgi?test= I don't get that error.
> /haha.cgi?test=something I don't get that error either.
>
> I'm not sure what the spec says about the query string, but I
> think it is legal to pass a string that isn't a name/value pair,
> right?
>
> Well, I hope this helps. By the way, you guys are doing a great job!
>
> --Mark
>
> On Sun, 27 Apr 1997 dgaudet@hyperreal.com wrote:
>
> > Synopsis: mod_cgi passing foobared username argument to suEXEC
> >
> > State-Changed-From-To: open-feedback
> > State-Changed-By: dgaudet
> > State-Changed-When: Sun Apr 27 14:15:44 PDT 1997
> > State-Changed-Why:
> > I'd wager this too was fixed by 1.2b9... which is in the usual
> > places. Could you tell us if it does fix the problem?
> >
> > Thanks
> > Dean
> >
>
>
> --
> Mark A Bentley Email: bentlema@cs.umn.edu
> Systems Staff, CSci Dept
> University of Minnesota URL: http://www.cs.umn.edu/~bentlema/
>
>
Re: Changed information for PR suexec/479
Posted by "Mark A. Bentley" <be...@cs.umn.edu>.
Hmmm, interesting... suEXEC isn't logging an error now, instead
the server is returning this error:
500 Internal Server Error
And my error log says "premature end of script headers".
It seems the only time this bug shows itself is when the
query string doesn't consist of name=value, but rather
just a name, like this:
http://www.cs.umn.edu/~amundson/haha.cgi?test
If I say ...
/haha.cgi?test= I don't get that error.
/haha.cgi?test=something I don't get that error either.
I'm not sure what the spec says about the query string, but I
think it is legal to pass a string that isn't a name/value pair,
right?
Well, I hope this helps. By the way, you guys are doing a great job!
--Mark
On Sun, 27 Apr 1997 dgaudet@hyperreal.com wrote:
> Synopsis: mod_cgi passing foobared username argument to suEXEC
>
> State-Changed-From-To: open-feedback
> State-Changed-By: dgaudet
> State-Changed-When: Sun Apr 27 14:15:44 PDT 1997
> State-Changed-Why:
> I'd wager this too was fixed by 1.2b9... which is in the usual
> places. Could you tell us if it does fix the problem?
>
> Thanks
> Dean
>
--
Mark A Bentley Email: bentlema@cs.umn.edu
Systems Staff, CSci Dept
University of Minnesota URL: http://www.cs.umn.edu/~bentlema/