[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap


--- Comment #8 from Rodney W. Grimes <[hidden email]> ---
(In reply to vas from comment #6)
I do not think "at present" that has any effect, as I can not find any place
that service(8) actually does sanatize the environment, but I may of missed it
in my 3 minute scan of that /bin/sh script.

Either way, I do now fully support that the package specific rc.d/fcgiwrap
script should do a env -i when it invokes this binary due to its potential for
being a exfiltration point.

Do note that the author of this program is aware of the fact that it can expose
its environment and actually has an internal blacklist of env variables, so to
me it appears as if the exporting is by design and intentional and the novice
user running printenv in a cgi script started by this program has loaded the
gun and pulled the trigger.

(In reply to vas from comment #7)
Realize that if you sanitize the environment in a generic way in the "foo" init
system you remove the ability of the system admin to use the environment to
effect anything that is started, and that would probably be a larger and
painful problem to solve.

You are receiving this mail because:
You are on the CC list for the bug.
[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"