Re: passing all env vars to a cgi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



André Warnier wrote:
Karel Kubat wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Feb 12, 2009, at 8:59 AM, Jürgen Mathwich wrote:

I 've got a problem regarding apache's environ handling. I know about the usage of SetEnv and PassEnv. To use them I have to know the key/name of every single environ variable.

When doing a

# cat /proc/<APACHE-PID>/environ

it shows me more variables than the cgi knows about. Now I have a project where I need to pass all the vars without knowing their keys to the cgi (just ALL of them), but I don't have any idea how to
solve this in a easy way.

Maybe some of you had a similar problem in the past and know how to solve it.

This will depend on the platform of your CGI programs. E.g., in Perl there is the hash %ENV. In C there is the third argument to main(), **envp. In shell script you can use your above way, but more portable is running /usr/bin/env.

Hi.
I don't think that works.
It is Apache who decides which of the environment values *of Apache*.
gets passed to the cgi-bin environment. The cgi-bin script then only sees *these* environment values. So whatever you do in the cgi-bin script (no matter which language it is written in), is never going to show you more than what Apache passes on.

To take the problem from the other end : by default, Apache only passes some environment values to cgi-bin scripts. Those are the ones defined by the cgi-bin specs (such as DOCUMENT_ROOT etc..). The reasons for that are linked to security and to the cost of setting up that environment. To force Apache to pass more values, exist the (static) configuration directives PassEnv and SetEnv. But as the OP says, this means you have to know in advance which environment values you want to pass.
I don't think that there is a way to do otherwise, and maybe rightly so.

Now the real question is, what kind of project would require ALL Apache environment values to be made available to the cgi-bin script ? I mean, if you don't even know the name of an environment variable of Apache, then why would you need the cgi-bin to get its value ? In other words, what are you going to do with it, if you don't even know what it's for ?

Re-reading the above, I want to add something, because it seems to me that it is still not clear enough : Suppose that you would find a way to do that (pass ALL Apache environment values to ALL cgi-bin scripts). In my opinion, you are then creating a BIG security problem. Exmple : one of these environment values (which you did not notice until now), may contain an administrative password to some confidential database. That value would then suddenly become available to all cgi-bin scripts that run under Apache. Another aspect is name conflicts : if you are doing this to allow a number of applications that you do not really know, to find values they need, then how can you guarantee that two different applications are not using the same environment value name, for different things ? In other words, you may have thought of this as a cheap substitute for a lot of painful work, but I really don't think it is a good idea.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux