Safe namespace for passing environment vars to suexec-ed CGI script

Safe namespace for passing environment vars to suexec-ed CGI script

am 11.01.2009 08:51:18 von Matt McCutchen

I operate a Web site on a shared hosting service that runs CGIs under
suexec. The site contains three "segments" (this number will increase
in the future), each of which contains one or more git repositories and
has a rewrite rule to map the URLs of those repositories to gitweb, a
CGI script. I want to keep only one copy of gitweb on the server for
ease of maintenance, but it needs to know on which segment it was called
so it can select the correct configuration file. Naturally, I tried
passing an environment variable named GITWEB_PROJECT_SEG having a
different value in each rewrite rule, but suexec dropped the variable
when it cleaned the environment.

I see that two people complained about this previously on the list and
decided to patch their own suexec to pass the variables they wanted:

http://httpd.markmail.org/message/ncyrj4zbshauqwjr
http://httpd.markmail.org/message/2o3ghiwvhtfnzmw6

I don't think this is a viable long-term solution, particularly for
shared hosts. Instead, I propose that a new safe namespace, perhaps
CGI_ (I'm open to suggestions for a better name), be allocated for
rewrite rules and potentially other Web server directives to pass
information to CGI scripts. REDIRECT_CGI_ should also be accepted as
safe to accommodate rewrite rules in htaccess files. (My Web host won't
let me edit the virtual-host-level configuration but gives me
essentially "AllowOverride All" for htaccess files.)

My current workaround is to stuff my variable in the HTTP_ namespace and
use an additional rewrite rule to copy it back from REDIRECT_HTTP_ after
an internal redirect, but this feels very kludgy.

Once the safe namespace is documented, it would be great if suexec
logged each environment variable removal and provided a pointer to that
documentation. I wasted an hour trying to find out how my variable was
getting "lost", and I would love to save other novice Web administrators
that trouble.

Comments? Unless someone suggests a better approach, I will write and
post the patch; it should be pretty straightforward.

--
Matt


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org