CGI environment needs restricting

[GoogleCodeExporter]

What steps will reproduce the problem?

Create a cgi script that displays all environment variables and access the 
url. The entire environment is made available. This needs restricting with 
a whitelist of variables necessary. From tclhttpd we can see on unix 
systems we require PATH, LD_LIBRARY_PATH and TZ. On Windows we will need 
some additional items which can be researched later.

The attached patch adds a 'whitelist' arg for the CGI domain so the set of 
safe variable names can be extended in nub files. I also fix a couple of 
the server generated variables to conform to the documentation.

Additionally, CGI scripts expect to receive the client provided headers as 
HTTP_VAR_NAME type variables. The code appears to do this by added a list 
of fields expected to be passed to the cgi. However, we need to pass any 
client headers. Sometimes we have script that expect additional headers 
from clients (say X-Bender: Kiss my shiny metal butt.) and this should be 
passed. To that end I added -clientheaders to be a list of fields that the 
client provided and the env command uses that to generate the variables.

Finally - as we can;t unset ::env, we remove all array items not in our 
whitelist and add all the new ones. Works on my system, works with 
gitweb.cgi.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

Please provide any additional information below.

Original issue reported on code.google.com by pattho...@gmail.com on 15 Nov 2009 at 9:28

Attachments:

• cgi-fix.patch

[GoogleCodeExporter]

fixed and committed with thanks

Original comment by mcc...@gmail.com on 17 Nov 2009 at 8:45

• Changed state: Verified
• Added labels: ****
• Removed labels: ****