Ignore:
Timestamp:
Jul 18, 2016, 7:53:10 PM (9 years ago)
Author:
andersk
Message:
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”.

Also remove our inexplicable whitelist entry for HTTPS_* environment
variables.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/server/common/patches/httpd-suexec-scripts.patch

    r2591 r2774  
    5252 #include "ap_config.h"
    5353 #include "suexec.h"
    54 @@ -92,6 +95,7 @@ static const char *const safe_env_lst[] =
    55  {
    56      /* variable name starts with */
    57      "HTTP_",
    58 +    "HTTPS_",
    59      "SSL_",
    60  
    61      /* variable name is */
    6254@@ -268,9 +272,108 @@ static void clean_env(void)
    6355     environ = cleanenv;
Note: See TracChangeset for help on using the changeset viewer.