[Bug 64365] New: ProxyFCGISetEnvIf does not evaluate condition when unsetting variables.

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64365

            Bug ID: 64365
           Summary: ProxyFCGISetEnvIf does not evaluate condition when
                    unsetting variables.
           Product: Apache httpd-2
           Version: 2.4.43
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_fcgi
          Assignee: bugs@httpd.apache.org
          Reporter: m...@mikoenig.net
  Target Milestone: ---

Created attachment 37183
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37183&action=edit
A patch that appears to fix the problem for me

Context
=======
The ProxyFCGISetEnvIf directive allows overriding variables sent to FastCGI
servers. It comes in two forms:
* Setting   variables, taking 3 arguments: ProxyFCGISetEnvIf <condition>
<varname> <value>
* Unsetting variables, taking 2 arguments: ProxyFCGISetEnvIf <condition>
!<varname>

The Bug
=======
When using the directive's second form, the variable is always unset, ignoring
the condition.

Steps to Reproduce
==================
1. Try unsetting a FastCGI variable conditionally, or (for purpose of
demonstration) even with a condition of "false".
    Examples:
        ProxyFCGISetEnvIf "false" !SERVER_SOFTWARE
        ProxyFCGISetEnvIf "%{QUERY_STRING} =~ /hello/" !SERVER_SOFTWARE
        ProxyFCGISetEnvIf "-z reqenv('cloudflare')" !HTTP_CF_CONNECTING_IP
2. Observe the specified variables being unset even if the condition evaluates
to false.
    Example PHP script:
        <?php var_dump($_SERVER['SERVER_SOFTWARE']);
    Example output:
        NULL
    Expected output:
        string(6) "Apache"
Note that the example directive conditions above work as expected when used
with setting instead of unsetting variables.

Proposed Solution
=================
I looked into the code (functions "cmd_setenv" and "fix_cgivars" in
"modules/proxy/mod_proxy_fcgi.c") and it appears the condition is correctly
parsed but during request handling unsetting takes precedence over even
evaluating the condition, see line 178.

I created a small patch (see attachment) which appears to fix the problem for
me, but it would be good if someone familiar with the code took a look.

As far as I can tell, both the problem and my patch apply to all versions of
httpd since the ProxyFCGISetEnvIf directive was introduced in version 2.4.26,
including the current development version.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org