busybox httpd cgi environment

Denys Vlasenko vda.linux at googlemail.com
Thu Sep 13 15:58:24 UTC 2007


On Wednesday 12 September 2007 22:18, Nathan Angelacos wrote:
> >>> I have a question about busybox httpd and its cgi environment:  Is there
> >>> a way to setup and/or access environment variables other than the
> >>> variables that are defined by the common gateway interface?
> >> CGI cannot "setup" (i.e. change) environment variables
> >> of the parent httpd process. It can only play with its own ones.
> >>
> >>> The reason I'm asking is because I'm writing a cgi program that handles
> >>> a form differently depending on how my system is configured so the
> >>> results aren't completely defined using cgi variables.
> >> I *think* httpd just passes down whatever environment variables
> >> it got set at the moment it was started itself.
> >>
> >> If it is not so, report it as a bug.
> > 
> > OK, Busybox httpd_main calls clearenv if ENABLE_FEATURE_HTTPD_CGI and
> > that's a bug. Please delete the call to clearenv in http_main. Thanks!
> 
> I disagree.  Every web server I've ever worked with sends a stripped 
> down "safe" set of environment variables to the cgi - not the full 
> environment when it was started.

This argument is not a particularly good explanation
why this is a good idea.

> bb httpd is not fully RFC compliant, so there are warts, but I really 
> don't want to have to worry about clearing the execution environment 
> /prior/ to starting httpd.

Now I disagree. It's trivial to strip environment prior
to starting httpd:

env - httpd
or
env - PATH="$PATH" httpd

and both users who want stripped env and who need some env vars
to be set can both get what they want.

Granted, you need to think a tiny bit about security before you
decide how to to start httpd in this case. But you need to think
about security anyway, right?

However, with mandatory stripping of env in httpd we'll make
those users which want to pass an env variable to cgi unhappy.

Why do you want it?

* You are evil and want people to suffer ;)
  or
* You don't want to be bothered to type "env -"
  or
* You didn't consider the ramifications of mandatory stripping
  for those users which *really* need to pass a variable
  or
* You are more educated than me and you have an RFC or something
  which says that env must be stripped (can you give me an URL?)

I hope it's 3 or 4.
--
vda



More information about the busybox mailing list