[Bug 59886] New: httpoxy: shouldn't suexec block the questonable HTTP_ variables

bugzilla Tue, 19 Jul 2016 09:00:41 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=59886


            Bug ID: 59886
           Summary: httpoxy: shouldn't suexec block the questonable HTTP_
                    variables
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_suexec
          Assignee: [email protected]
          Reporter: [email protected]

Hey.

In the wake of httpoxy[0] shouldn't suexec also block the problematic HTTP_ env
vars from being passed on?

Right now it seems that anything starting with HTTP_ or SSL_ is passed through
which doesn't seem particularly trustworthy at a first glance.

Cheers,
Chris.


[0] https://httpoxy.org/

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 59886] New: httpoxy: shouldn't suexec block the questonable HTTP_ variables

Reply via email to