Received: (qmail 43448 invoked by uid 501); 8 Feb 2001 05:10:22 -0000 Message-Id: <20010208051022.43447.qmail@apache.org> Date: 8 Feb 2001 05:10:22 -0000 From: Jay Kreibich Reply-To: jak@uiuc.edu To: submit@bugz.apache.org Subject: CGI needs actual HTTP request header values. X-Send-Pr-Version: 3.110 >Number: 7215 >Category: mod_setenvif >Synopsis: CGI needs actual HTTP request header values. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: apache >Arrival-Date: Wed Feb 07 21:20:01 PST 2001 >Closed-Date: Thu Feb 08 11:08:18 PST 2001 >Last-Modified: Thu Feb 08 11:08:18 PST 2001 >Originator: jak@uiuc.edu >Release: 1.3.17 >Organization: >Environment: SunOS 5.8 Generic_108528-04 sun4m sparc compiled with Sun's "cc". >Description: I'm developing CGI scripts that need to know the full value of some "x-" HTTP request headers (generated by WAP gateways). Although I can use SetEnvIf to test for the existance of such headers, there is no way to get the value of these dynamic headers into an envar that will get passed to my CGI script. FIX: The included patch adds one more syntax to mod_setenvif statements that looks like this: SetEnvIf
=$ If the matches against the value of
, the whole
value is copied into . ISSUES: This has the posibility of breaking some existing SetEnvIf statements. There are also some security concerns about taking a header value of unknown constraints and passing it to a CGI. This is a security concern more for the CGI script than Apache. I assume Apache offers the same protection against attacks (like huge headers looking for a buffer overflow) for these values as it does for more standardized ones, such as User-Agent. Note, the patch plays a little fast and loose with strcmp(), but only in the same fashion it was already being used. >How-To-Repeat: >Fix: Patch to src/modules/standard/mod_setenvif.c ######diff -u###### --- mod_setenvif-old.c Wed Feb 7 22:44:49 2001 +++ mod_setenvif.c Wed Feb 7 22:44:49 2001 @@ -441,7 +441,13 @@ ap_table_unset(r->subprocess_env, elts[j].key); } else { - ap_table_setn(r->subprocess_env, elts[j].key, elts[j].val); + if (!strcmp(elts[j].val, "$")) { + ap_table_setn(r->subprocess_env, elts[j].key, val); + } + else { + ap_table_setn(r->subprocess_env, elts[j].key, + elts[j].val); + } } } } ######end diff###### >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Thu Feb 8 11:08:14 PST 2001 State-Changed-Why: I am a little confused about why you need this, since CGI scripts already have access to all the HTTP request header fields. For example, if I send an X-Test: 123 request header, then Apache sets the environment variable HTTP_X_TEST to the value 123 and makes it available to your CGI scripts. In any case, if you really need the ability to set environment variables manually based on the request headers, please look into using mod_rewrite which has this capability. Thanks for using Apache! >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]