Denys Vlasenko wrote: > On Wednesday 12 September 2007 22:18, Nathan Angelacos wrote: >>>>> I have a question about busybox httpd and its cgi environment: Is there >>>>> a way to setup and/or access environment variables other than the >>>>> variables that are defined by the common gateway interface? >>>> CGI cannot "setup" (i.e. change) environment variables >>>> of the parent httpd process. It can only play with its own ones. >>>> >>>>> The reason I'm asking is because I'm writing a cgi program that handles >>>>> a form differently depending on how my system is configured so the >>>>> results aren't completely defined using cgi variables. >>>> I *think* httpd just passes down whatever environment variables >>>> it got set at the moment it was started itself. >>>> >>>> If it is not so, report it as a bug. >>> OK, Busybox httpd_main calls clearenv if ENABLE_FEATURE_HTTPD_CGI and >>> that's a bug. Please delete the call to clearenv in http_main. Thanks! >> I disagree. Every web server I've ever worked with sends a stripped >> down "safe" set of environment variables to the cgi - not the full >> environment when it was started. > > This argument is not a particularly good explanation > why this is a good idea.
Fair enough. Other web servers do it that way. I assume they have good reason for doing so. That may be an entirely false assumption. > >> bb httpd is not fully RFC compliant, so there are warts, but I really >> don't want to have to worry about clearing the execution environment >> /prior/ to starting httpd. > > Now I disagree. It's trivial to strip environment prior > to starting httpd: > > env - httpd > or > env - PATH="$PATH" httpd > > and both users who want stripped env and who need some env vars > to be set can both get what they want. > > Granted, you need to think a tiny bit about security before you > decide how to to start httpd in this case. But you need to think > about security anyway, right? > > However, with mandatory stripping of env in httpd we'll make > those users which want to pass an env variable to cgi unhappy. > > Why do you want it? > > * You are evil and want people to suffer ;) > or > * You don't want to be bothered to type "env -" > or > * You didn't consider the ramifications of mandatory stripping > for those users which *really* need to pass a variable > or > * You are more educated than me and you have an RFC or something > which says that env must be stripped (can you give me an URL?) > 1. Evidently you feel so. :-) 2. Yes. Other web servers don't work that way. Why do I have to remember bb httpd is an exception? 3. No, actually, I *am* aware of it - and felt the same way as Paul at first. But in the end, the restricted shell environment means theres one less thing the cgi writer has to worry about. A workaround for current bb httpd (and every other small web server) is to have an extra file with the variables you want to pass to the cgi, and have the cgi "source" that file. Not pretty, but it works. Apache has lots of other ways to do similar - bb httpd doesn't need to be apache. 4. No. RFC 3875 is silent on setting up the cgi runtime environment. However, RFC 3875, http://ken.coar.org/cgi/cgi-120-00a.html and http://httpd.apache.org/docs/2.2/env.html document that there is a disconnect from the operating system's environment variables and the environment variables available to a CGI script. The environment variables are the API between the server's handling the client's request and the script. They do not need to have any relationship to the httpd server's OS environment. [Executive summary] You are the maintainer, you can go either way, and I'll respect your call. In my opinion, however, calling httpd's use of clearenv a bug is just as evil as saying it isn't. _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
