source:
trunk/server/common/patches/httpd-suexec-CVE-2016-5387.patch
@
2774
Last change on this file since 2774 was 2774, checked in by andersk, 8 years ago | |
---|---|
File size: 1.3 KB |
-
support/suexec.c
------------------------------------------------------------------------ r1659711 | sf | 2015-02-13 18:24:10 -0500 (Fri, 13 Feb 2015) | 4 lines suexec: Filter out HTTP_PROXY Some programs look there for the http proxy server.
91 91 static const char *const safe_env_lst[] = 92 92 { 93 93 /* variable name starts with */ 94 "HTTP_",95 94 "SSL_", 95 /* "HTTP_" is handled specially in clean_env() */ 96 96 97 97 /* variable name is */ 98 98 "AUTH_TYPE=", … … 253 253 cidx++; 254 254 255 255 for (ep = envp; *ep && cidx < AP_ENVBUF-1; ep++) { 256 if (strncmp(*ep, "HTTP_", 5) == 0) { 257 if (strncmp(*ep + 5, "PROXY=", 6) == 0) { 258 /* 259 * HTTP_PROXY is treated as alias for http_proxy by some 260 * programs. 261 */ 262 } 263 else { 264 /* Other HTTP_* are safe */ 265 cleanenv[cidx] = *ep; 266 cidx++; 267 } 268 continue; 269 } 256 270 for (idx = 0; safe_env_lst[idx]; idx++) { 257 271 if (!strncmp(*ep, safe_env_lst[idx], 258 272 strlen(safe_env_lst[idx]))) {
Note: See TracBrowser
for help on using the repository browser.