https://bz.apache.org/bugzilla/show_bug.cgi?id=59886
--- Comment #6 from Eric Covener <cove...@gmail.com> --- (In reply to Christoph Anton Mitterer from comment #5) > Hmm I just re-thought the whole thing... > > Isn't the problem below httpoxy actually "much" bigger, at least in > principle? > > Who says that there aren't any further scripts out there (which are run from > webservers, which export HTTP_<header> vars), which make use of such names? > HTTP_* is pretty generic and by no means anything one would need to assume > that "belongs" to CGI, or to webserver-set variables that aren't to be > trusted. > > There could be a HTTP_MODE variable which takes e.g. "plain" or "ssl" and > causes the program in question to make further connections plain (and > possibly insecure) when the attacker can overwrite it with an Header. > > > Not sure if this breaks many scripts, but it rather seems to me, as if > webservers should per default not export *any* untrusted HTTP request > headers as envvars, at least as long as this doesn't happen below a > sufficiently obvious namespace (e.g. SET_BY_WEBSERVER_AND_INSECURE_<header > name> or so ;-) ... > > > What do you think? I don't agree, maybe someone else will. Better odds if you take it to a mailing list as an improvement rather than further complicate this report. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
