Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c
On Mon, Apr 9, 2018 at 10:07 AM, Joe Orton wrote: > On Thu, Apr 05, 2018 at 01:38:05PM +0200, Yann Ylavic wrote: >> On Wed, Oct 11, 2017 at 4:48 PM, wrote: >> > Author: jorton >> > Date: Wed Oct 11 14:48:55 2017 >> > New Revision: 1811831 >> > >> > URL: http://svn.apache.org/viewvc?rev=1811831&view=rev >> > Log: >> > * server/util_script.c (ap_add_common_vars): Allow mod_env to override >> > all system path environment variables, not just PATH. (The >> > behaviour for PATH alone was changed in r965679 for PR 43906.) >> >> Since SetEnv* are usable from htaccess, don't we open a risky door here? > > If we allow control over PATH (which we do already) I am struggling to > imagine how it would be worse to allow control of anything other env > var. LD_LIBRARY_PATH (and alike) look even more "fun" to play with, possibly. Whilst applications may not need/use PATH, they can't do much about LD_LIBRARY_PATH. PR 43906 states that one can already overwrite LD_LIBRARY_PATH, it's not the case anymore today I think (w/o this commit). > > Can you think of a scenario where it would be a problem? Custom .so in /path/to/my/htaccess-ed/htdocs for instance which would be loaded underneath the app (with the same rights). Although I agree that PATH may already be an issue, so it all depends on the "trust" given to htaccess files I suppose... How about a directive to control that? yes it sucks, but... Regards, Yann.
Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c
On Thu, Apr 05, 2018 at 01:38:05PM +0200, Yann Ylavic wrote: > On Wed, Oct 11, 2017 at 4:48 PM, wrote: > > Author: jorton > > Date: Wed Oct 11 14:48:55 2017 > > New Revision: 1811831 > > > > URL: http://svn.apache.org/viewvc?rev=1811831&view=rev > > Log: > > * server/util_script.c (ap_add_common_vars): Allow mod_env to override > > all system path environment variables, not just PATH. (The > > behaviour for PATH alone was changed in r965679 for PR 43906.) > > Since SetEnv* are usable from htaccess, don't we open a risky door here? If we allow control over PATH (which we do already) I am struggling to imagine how it would be worse to allow control of anything other env var. Can you think of a scenario where it would be a problem? Regards, Joe
Re: svn commit: r1811831 - /httpd/httpd/trunk/server/util_script.c
On Wed, Oct 11, 2017 at 4:48 PM, wrote: > Author: jorton > Date: Wed Oct 11 14:48:55 2017 > New Revision: 1811831 > > URL: http://svn.apache.org/viewvc?rev=1811831&view=rev > Log: > * server/util_script.c (ap_add_common_vars): Allow mod_env to override > all system path environment variables, not just PATH. (The > behaviour for PATH alone was changed in r965679 for PR 43906.) Since SetEnv* are usable from htaccess, don't we open a risky door here? Regards, Yann.
