The following reply was made to PR mod_env/370; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: "P. Alejandro Lopez-Valencia" <[EMAIL PROTECTED]> Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used Date: Sat, 12 Apr 1997 08:38:14 -0600 (MDT) On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote: > The use of a modified environemt PATH is not reflected in the > actual $PATH passed to the CGI. It may constitute a security hole > as the $PATH used is that of the owner of the parent process (root). What do you mean "modified path"? Who is modifying it? The path should be that in effect when the server was started, or some default path if there was none. Generally root's path is reasonably restrictive; if you wish to modify it you should be able to use SetEnv or change the path before you start httpd.
