You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/11/19 18:52:16 UTC
DO NOT REPLY [Bug 43906] New: - SetEnv does not allow PATH override
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43906>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43906
Summary: SetEnv does not allow PATH override
Product: Apache httpd-2
Version: 2.2.4
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: lavr@ncbi.nlm.nih.gov
SetEnv PATH "/usr/bin:/bin"
does not work (it's an undocumented exception among a few more) because of
special treatment in server/util_script.c::ap_add_common_vars(), which always
takes PATH as inherited from Apache startup environment. The startup
environment can be rather "wide", and narrowing it down with an appropriate
SetEnv PATH (as shown) seems like a good security measure. But to no avail
with current implementation. Note that another commonly used environment,
closely related to PATH but only in terms of shared libraries rather than
commands, LD_LIBRARY_PATH *can* be overridden with SetEnv directive.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org