https://issues.apache.org/bugzilla/show_bug.cgi?id=57580
D. Stussy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- --- Comment #4 from D. Stussy <[email protected]> --- Obviously, it is, and you are wrong. How else do you explain that the value of the User-Agent request header is being executed by a command interpreter? The only way that can happen is when apache extracts the header's value and submits it. Whether that submission is intentional or implicit is the next logical question, but I submit that intentional submission is a misdesign that needs correction. Should this be implicit, whether by accident or intentional side-effect, that too needs correction. This is not an issue of the value simply being passed. It's an issue of what happens to that value as it is being passed. Somehow, it is being interpreted and executed as a command string, and that is wrong. If this is indeed happening during the CGI interface, a redesign is needed. The "User-Agent:" header should be a read-only, non-substitutional value (i.e. constant and never changing). There should be no processing other than perhaps a string copy to the appropriate CGI variable. Whatever else is happening is erroneous. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
