Received: (qmail 14157 invoked by uid 501); 15 Nov 2001 17:11:47 -0000 Message-Id: <20011115171147.14156.qmail@apache.org> Date: 15 Nov 2001 17:11:47 -0000 From: Tom Parsoneault Reply-To: tom@superserve.net To: submit@bugz.apache.org Subject: adding ?x=y to suexec link causes it to fail X-Send-Pr-Version: 3.110 >Number: 8765 >Category: mod_cgi >Synopsis: adding ?x=y to suexec link causes it to fail >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Nov 15 09:20:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: tom@superserve.net >Release: Apache/2.0.16 >Organization: apache >Environment: Linux 2.2.16 gcc-c++-2.96-69 [root@ns1 /root]# /apache2016/bin/httpd -V Server version: Apache/2.0.16 Server built: Nov 13 2001 05:24:07 Server's Module Magic Number: 20010224:1 Server compiled with.... -D APACHE_MPM_DIR="server/mpm/threaded" -D APR_HAS_MMAP -D APR_HAVE_IPV6 -D APR_USE_FCNTL_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="/apache2016" -D SUEXEC_BIN="/apache2016/sbin/suexec" -D DEFAULT_ERRORLOG="logs/error_log" -D SERVER_CONFIG_FILE="conf/httpd.conf" >Description: This is a link in a page generated by a perl script: /secret/cgi/calendar/calendar.pl works but /secret/cgi/calendar/calendar.pl?vsSD=1&vsMonth=11&vsYear=2001 fails with a server internal error msg. suexec_log has something like this when it works: uid: (513/superserve) gid: (508/508) dir:(/home/superserve/httpd/./) cmd: cal endar.pl and something like this when it fails: uid: (513/superserve) gid: (508/508) dir:(/home/superserve/httpd/./) cmd: In ap_unix_create_privileged_process the line newargs[3] = apr_pstrdup(p, progname); puts a null string into newargs[3], causing suexec to fail. I hope this isn't happening because of me not fully understanding how suexec works.. The apr_palloc call that pstrdup makes against the pool p is what fails. Note that the returned pointer is NOT a NULL, it points to an empty string. Looks like the memcpy (in apr_pstrdup) is failing.. progname is always "calendar.pl" Strange.. the pool p appears to be valid. I'm not getting any seg faults or anything like that.. suexec just fails to run because its cmd argument points to something it can't stat, namely an empty string. >How-To-Repeat: This is a perl script from http://www.verysimple.com/scripts/organize.html Install it suexec. click on the calendar and it will run. Click on a day, or "show details" and it fails. >Fix: This is for demo only.. I doubt it would work multi-platform and it gobbles stack, etc. etc. ... a malloc might also work on some platforms.. (I really need to find out why pstrdup fails here) In os/unix/unixd.c: ap_unix_create_privileged_process( char txt[500]; Add the stuff in the "#if 1" block below the line: newargs[3] = apr_pstrdup(p, progname); that fails: #if 1 // tjp this fixes it strcpy( &txt[0], progname ); newargs[3]=&txt[0]; #endif >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]