You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Jay Kreibich <ja...@uiuc.edu> on 2001/02/08 06:10:22 UTC

mod_setenvif/7215: CGI needs actual HTTP request header values.

>Number:         7215
>Category:       mod_setenvif
>Synopsis:       CGI needs actual HTTP request header values.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Wed Feb 07 21:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     jak@uiuc.edu
>Release:        1.3.17
>Organization:
apache
>Environment:
SunOS 5.8 Generic_108528-04 sun4m sparc
compiled with Sun's "cc".
>Description:
I'm developing CGI scripts that need to know the full value of some "x-" HTTP request headers (generated by WAP gateways).  Although I can use SetEnvIf to test for the existance of such headers, there is no way to get the value of these dynamic headers into an envar that will get passed to my CGI script.

FIX: The included patch adds one more syntax to mod_setenvif statements that looks like this:

    SetEnvIf <header> <regex> <envar>=$

If the <regex> matches against the value of <header>, the whole <header> value is copied into <envar>.

ISSUES: This has the posibility of breaking some existing SetEnvIf statements.  There are also some security concerns about taking a header value of unknown constraints and passing it to a CGI.  This is a security concern more for the CGI script than Apache.  I assume Apache offers the same protection against attacks (like huge headers looking for a buffer overflow) for these values as it does for more standardized ones, such as User-Agent.  Note, the patch plays a little fast and loose with strcmp(), but only in the same fashion it was already being used.
>How-To-Repeat:

>Fix:
Patch to src/modules/standard/mod_setenvif.c
######diff -u######
--- mod_setenvif-old.c  Wed Feb  7 22:44:49 2001
+++ mod_setenvif.c      Wed Feb  7 22:44:49 2001
@@ -441,7 +441,13 @@
                     ap_table_unset(r->subprocess_env, elts[j].key);
                 }
                 else {
-                    ap_table_setn(r->subprocess_env, elts[j].key, elts[j].val);
+                    if (!strcmp(elts[j].val, "$")) {
+                        ap_table_setn(r->subprocess_env, elts[j].key, val);
+                    }
+                   else {
+                        ap_table_setn(r->subprocess_env, elts[j].key,
+                                                         elts[j].val);
+                    }
                 }
             }
         }
######end diff######
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]