On 01 Jan 2014, at 1:59 PM, Stefan Fritsch <s...@sfritsch.de> wrote: > I definitely like this idea. While I haven't done a full review of the > patch, I have a few questions: > > Aren't the apr_table keys case insensitive anyway? Why do we need the > case conversion of the key names?
All the variables in subprocess_env are all uppecased, before I added the uppercasing the variables were the only ones lowercased when they were listed and it looked wrong. > Maybe making ap_regname() accept an optional prefix string that is > prepended to each name would be a good idea? > > Maybe the use in <LocationMatch> and friends should add some prefix to > the names? Like "m_" or "match_" or "m:"? This would make it more > difficult to shoot oneself in the foot by allowing a remote attacker > to set env variables that have some special meanings elsewhere in > httpd (or in an executed cgi script). And/or maybe these values should > be filtered out again when exporting them to cgi env variables? I wondered about this, on one hand it is nice to be able to set any variable, but on the other hand there is a lot of safety in preventing someone from being able to shadow an existing variable. I had "MATCH_FOO" in mind originally. Regards, Graham --
