DO NOT REPLY [Bug 43906] New: - SetEnv does not allow PATH override

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43906>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43906

           Summary: SetEnv does not allow PATH override
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: lavr@ncbi.nlm.nih.gov


SetEnv PATH "/usr/bin:/bin"
does not work (it's an undocumented exception among a few more) because of
special treatment in server/util_script.c::ap_add_common_vars(), which always
takes PATH as inherited from Apache startup environment.  The startup
environment can be rather "wide", and narrowing it down with an appropriate
SetEnv PATH (as shown) seems like a good security measure.  But to no avail
with current implementation.  Note that another commonly used environment,
closely related to PATH but only in terms of shared libraries rather than
commands, LD_LIBRARY_PATH *can* be overridden with SetEnv directive.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org