You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Yann Ylavic <yl...@gmail.com> on 2018/04/05 11:38:05 UTC

Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c

On Wed, Oct 11, 2017 at 4:48 PM,  <jo...@apache.org> wrote:
> Author: jorton
> Date: Wed Oct 11 14:48:55 2017
> New Revision: 1811831
>
> URL: http://svn.apache.org/viewvc?rev=1811831&view=rev
> Log:
> * server/util_script.c (ap_add_common_vars): Allow mod_env to override
>   all system path environment variables, not just PATH.  (The
>   behaviour for PATH alone was changed in r965679 for PR 43906.)

Since SetEnv* are usable from htaccess, don't we open a risky door here?


Regards,
Yann.

Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c

Posted by Yann Ylavic <yl...@gmail.com>.

On Mon, Apr 9, 2018 at 10:07 AM, Joe Orton <jo...@redhat.com> wrote:
> On Thu, Apr 05, 2018 at 01:38:05PM +0200, Yann Ylavic wrote:
>> On Wed, Oct 11, 2017 at 4:48 PM,  <jo...@apache.org> wrote:
>> > Author: jorton
>> > Date: Wed Oct 11 14:48:55 2017
>> > New Revision: 1811831
>> >
>> > URL: http://svn.apache.org/viewvc?rev=1811831&view=rev
>> > Log:
>> > * server/util_script.c (ap_add_common_vars): Allow mod_env to override
>> >   all system path environment variables, not just PATH.  (The
>> >   behaviour for PATH alone was changed in r965679 for PR 43906.)
>>
>> Since SetEnv* are usable from htaccess, don't we open a risky door here?
>
> If we allow control over PATH (which we do already) I am struggling to
> imagine how it would be worse to allow control of anything other env
> var.

LD_LIBRARY_PATH (and alike) look even more "fun" to play with, possibly.
Whilst applications may not need/use PATH, they can't do much about
LD_LIBRARY_PATH.

PR 43906 states that one can already overwrite LD_LIBRARY_PATH, it's
not the case anymore today I think (w/o this commit).

>
> Can you think of a scenario where it would be a problem?

Custom .so in /path/to/my/htaccess-ed/htdocs for instance which would
be loaded underneath the app (with the same rights).
Although I agree that PATH may already be an issue, so it all depends
on the "trust" given to htaccess files I suppose...
How about a directive to control that? yes it sucks, but...

Regards,
Yann.

Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c

Posted by Joe Orton <jo...@redhat.com>.

On Thu, Apr 05, 2018 at 01:38:05PM +0200, Yann Ylavic wrote:
> On Wed, Oct 11, 2017 at 4:48 PM,  <jo...@apache.org> wrote:
> > Author: jorton
> > Date: Wed Oct 11 14:48:55 2017
> > New Revision: 1811831
> >
> > URL: http://svn.apache.org/viewvc?rev=1811831&view=rev
> > Log:
> > * server/util_script.c (ap_add_common_vars): Allow mod_env to override
> >   all system path environment variables, not just PATH.  (The
> >   behaviour for PATH alone was changed in r965679 for PR 43906.)
> 
> Since SetEnv* are usable from htaccess, don't we open a risky door here?

If we allow control over PATH (which we do already) I am struggling to 
imagine how it would be worse to allow control of anything other env 
var.

Can you think of a scenario where it would be a problem?

Regards, Joe