DO NOT REPLY [Bug 10449] - suexec allows environment variables not in the safe list

bugzilla 10 Feb 2003 14:28:38 -0000

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10449>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.


http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10449

suexec allows environment variables not in the safe list





------- Additional Comments From [EMAIL PROTECTED]  2003-02-10 14:30 -------
I guess it could be fixed with just a quick strlen comparison.

But note that this is probably not a security risk.  The point of cleaning
down the environment is to prevent unsafe env variables from being passed
(think LD_LIBRARY_PATH, etc).  It is HIGHLY unlikely that an attacker
would be able to construct an unsafe env variable using a prefix of a
safe env variable.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 10449] - suexec allows environment variables not in the safe list

Reply via email to