On Sat, 2 Feb 2002, Joshua Slive wrote: > > > From: Zvi Har'El [mailto:[EMAIL PROTECTED]] > > > Friends, > > > > I compared the environment variables I get in an SSI, like > > <!--#printenv-->, > > and a CGI, running a script like > > > > #!/usr/local/bin/zsh -x > > echo "Content-type: text/plain" > > echo > > printenv > > [missing env variables in cgi] > > Are you using suexec? (httpd -l will tell you) > > If so, you should be awary that suexec cleans the environment down to a > "safe" list of environment variables. Apache 2 should probably include the > SSL_* variables in that safe list, but it doesn't at the moment. > > Joshua. >
RedHat uses suexec by default, and this could be the reason. But I don't really see why HTTPS=on is less safer then all the SSL_ variables. For me it is a method to decide if my script should redirect to HTTP or HTTPS URL's, and there is no security breach in giving this script this piece of information, even thogh the script is run with suid set. -- Dr. Zvi Har'El mailto:[EMAIL PROTECTED] Department of Mathematics tel:+972-54-227607 Technion - Israel Institute of Technology fax:+972-4-8324654 http://www.math.technion.ac.il/~rl/ Haifa 32000, ISRAEL "If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942) Sunday, 21 Shevat 5762, 3 February 2002, 8:54AM
