Received: (qmail 25259 invoked by uid 2012); 21 Oct 1997 00:03:32 -0000 Message-Id: <19971021000332.25258.qmail@hyperreal.org> Date: 21 Oct 1997 00:03:32 -0000 From: M.D.Parker Reply-To: mdpc@netcom.com To: apbugs@hyperreal.org Subject: UNIQUE_ID not contained in "safe" export variable list for suexec.c X-Send-Pr-Version: 3.2 >Number: 1284 >Category: suexec >Synopsis: UNIQUE_ID not contained in "safe" export variable list for suexec.c >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Oct 20 17:10:01 PDT 1997 >Last-Modified: Wed Oct 22 01:07:37 PDT 1997 >Originator: mdpc@netcom.com >Organization: >Release: 1.3b2 >Environment: Linux 2.0.27 (but this is not generally revelent to the bug report) >Description: The UNIQUE_ID variable is not in the "safe" variable list and thus is not present in the environment of the program suexec passes control to. Thus making this new Apache 1.3 variable feature unavailable to any CGI script running through suexec. This is basically a non-critical bug UNLESS you need this variable for your CGI script which then makes it a serious problem. >How-To-Repeat: when using suexec wrapper program, just check the environment of the running program spawned. In my case, it was the test-cgi script with a little mod to output the results of env and set bourne-shell commands. >Fix: Add line to the character pointer array safe_env_list: "UNIQUE_ID", before "USER_NAME"%2 >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: Lars.Eilebrecht@unix-ag.org State-Changed-When: Tue Oct 21 08:00:42 PDT 1997 State-Changed-Why: I'm going to check this... State-Changed-From-To: analyzed-closed State-Changed-By: rse State-Changed-When: Wed Oct 22 01:07:37 PDT 1997 State-Changed-Why: Fixed for Apache 1.3b3 by ading the var to the list of acceptable vars in suexec.c >Unformatted: