https://bz.apache.org/bugzilla/show_bug.cgi?id=59886
--- Comment #3 from Eric Covener <[email protected]> --- (In reply to Christoph Anton Mitterer from comment #2) > Well, AFAIU, you're anyway going to block at least the Proxy header in httpd > completely, now, aren't you? The proposed change for httpd is to not copy this specific header into the child processes environment with the HTTP_ prefix. > 1) has anyone checked whether such naming collisions occur on other HTTP_* > names (which suexec would let pass all)? I haven't seen any findings in that area. > > 2) Could it be that people use suexec (i.e. the binary) outside of Apache > (e.g. behind some other webserver) and would thus benefit from blocking the > env_var at that level as well? It's possible, and it's possible they'd benefit from removing HTTP_PROXY in suexec. If we removed more variables, it's possible they'd be adversely affected. I'd be +0.5 on removing just HTTP_PROXY from suexec. This already happens on trunk and is just a partial backport. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
