Date: Fri, 25 Jan 2019 02:06:37 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap Message-ID: <bug-235185-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235185 Bug ID: 235185 Summary: www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: rodrigo@FreeBSD.org Reporter: vas@mpeks.tomsk.su Flags: maintainer-feedback?(rodrigo@FreeBSD.org) Assignee: rodrigo@FreeBSD.org It is desirable to clean the environment in /usr/local/etc/rc.d/fcgiwrap be= fore actually starting the fcgiwrap daemon. Otherwise, when manually starting/restarting the service from the root account, the whole root's environment is leaked to CGI scripts. I think it can be even considered a security issue. How to reproduce: write a CGI shell script with "printenv" inside, run "/usr/local/etc/rc.d/fcgiwrap restart" as root, watch the CGI script's outp= ut from the Web server. Workarond: always remember to use "env -i /usr/local/etc/rc.d/fcgiwrap star= t" when (re)starting manually. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235185-7788>