Not trying to beat a dead horse, but the previous reply didn't really address an important question:
"Why do you want it [the environment cleared?]" Denys Vlasenko wrote: > > Now I disagree. It's trivial to strip environment prior > to starting httpd: > > env - httpd > or > env - PATH="$PATH" httpd > > and both users who want stripped env and who need some env vars > to be set can both get what they want. > > Granted, you need to think a tiny bit about security before you > decide how to to start httpd in this case. But you need to think > about security anyway, right? > > However, with mandatory stripping of env in httpd we'll make > those users which want to pass an env variable to cgi unhappy. > > Why do you want it? > Information leakage. http://www.irt.org/articles/js184/index.htm One of the most frequent security problems in CGI scripts is inadvertently passing unchecked user-supplied variables or "tainted variables" to the shell. Tainted variables are those that contain data that originate from outside the script, including data read from environment variables, from command line array, or from standard input. Changing the default to be "expose server's enviroment" from "off" to "on" changes the security equation, and puts a greater load on every cgi script author. off - every cgi script only has to account for a subset of possible environment variables, and must do something exceptional to get more. on - every cgi script must now account for [unenlightend] httpd administrators, and take precautions. For example, the "env" cgi: #!/bin/sh echo content-type: text/plain env Not a good idea to have on any system, but its a common example cgi. An example of this gone bad is here: http://impressive.net/people/gerald/2000/10/set It is [inadvertently] exposing his local hostname, shell version, machine type, the fact that the cgi is running in his home dir, what his local name is, that the nobody user is probably UID 33 and other interesting facts that help the bad-guys. Yes, its the responsibility of the cgi script writer to fix this. But the person writing the script is in most cases not the same as the person running the web server. The script at impressive.net obviously did not expect that the web server to expose more data than would be considered "sane." Its the reason most other web servers start from an empty environment for the cgi script - to provide one more notch in the whole security equation. Hope this explains a little better. Otherwise, sorry for the noise. _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
