aboutsummaryrefslogtreecommitdiffstats
path: root/src/common.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/common.c')
-rw-r--r--src/common.c34
1 files changed, 25 insertions, 9 deletions
diff --git a/src/common.c b/src/common.c
index 62ed7657..94418892 100644
--- a/src/common.c
+++ b/src/common.c
@@ -162,20 +162,36 @@ check_caller(const char* ident, const char* parentgroup)
-/* list of environment variables which are removed from the given
+/* list of environment variables which are kept in the given
* environment. Some may or may not be hand crafted and passed into
* the execv'd environment.
*
* TBD: The logic of this should be inverted. IOW, we should audit the
* Mailman CGI code for those environment variables that are used, and
- * specifically white list them, removing all other variables. John Viega
+ * specifically white list them, removing all other variables.
+ * MAS: This is now done.
+ *
+ * John Viega
* also suggests imposing a maximum size just in case Python doesn't handle
* them right (which it should because Python strings have no hard limits).
*/
-static char* killenvars[] = {
- "PYTHONPATH=",
- "PYTHONHOME=",
- "PATH=",
+static char* keepenvars[] = {
+ "CONTENT_TYPE=",
+ "HOST=",
+ "HTTP_COOKIE=",
+ "HTTP_FORWARDED_FOR=",
+ "HTTP_HOST=",
+ "HTTP_X_FORWARDED_FOR=",
+ "LOGNAME=",
+ "PATH_INFO=",
+ "QUERY_STRING=",
+ "REMOTE_ADDR=",
+ "REQUEST_METHOD=",
+ "REQUEST_URI=",
+ "SCRIPT_NAME=",
+ "SERVER_NAME=",
+ "SERVER_PORT=",
+ "USER=",
NULL
};
@@ -232,11 +248,11 @@ run_script(const char* script, int argc, char** argv, char** env)
/* filter out any troublesome environment variables */
for (i = 0, j = 0; i < envcnt; i++) {
- char** k = &killenvars[0];
- int keep = 1;
+ char** k = &keepenvars[0];
+ int keep = 0;
while (*k) {
if (!strncmp(*k, env[i], strlen(*k))) {
- keep = 0;
+ keep = 1;
break;
}
*k++;