Bug 17107

Summary: Windows should not install printenv
Product: Apache httpd-2 Reporter: Daniel Dunbar <danielpdunbar>
Component: Runtime ConfigAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: minor Keywords: MassUpdate
Priority: P3    
Version: 2.0.44   
Target Milestone: ---   
Hardware: Other   
OS: Windows XP   

Description Daniel Dunbar 2003-02-16 04:45:19 UTC
A simple change in your sample printenv.pl script you distribute with the 
installation would probably save some people some time.

The problem and the proposed solution are presented below.

Because problems IE 6 has in rendering plain text -
Which you note in your FAQ's at

E: Configuration Questions
16. Why do my files appear correctly in Internet Explorer, but show up as 
source or trigger a save window with Netscape; or, Why doesn't Internet 
Explorer render my text/plain document correctly? 

Your cgi sample printenv.pl will often (most of the time) cause internet 
explorer 6.0 to ask if you want to open or save the file.  Unless you are 
aware of this you may think the problem is with the cgi installation (which is 
actually working fine)

The current contents of printenv.pl are
#!c:/Perl/bin/Perl.exe (particular to the installation)

print "Content-type: text/plain\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";

If you change text/plain to text/html and
print "${var}=\"${val}\"<br>\n";

html output is generated that will not cause the problem and probably save 
some people some time.
Comment 1 Joshua Slive 2003-02-16 15:42:40 UTC
This can't really be changed to html because of potential problems with
cross-site-scripting (XSS) that could allow people to steal cookies
and do other nasty things.

Unfortunately, those XSS problems exist on MSIE even with text/plain
because it can be tricked into interpreting the content as text/html.
But at least with text/plain, properly behaved browsers are not vulnerable.

My opinion is that it is too dangerous to be activating printenv.pl in
the default distribution.  It should be removed, or at least deactivated
with a big warning at the top.  Other Apache developers have never seemed
to really share my opinion, however.
Comment 2 Justin Erenkrantz 2003-02-17 08:21:02 UTC
As a data point, the executable bit must be set on Unix-based platforms for printenv to execute.  So, it is disabled by default on Unix already.  (Get a nice 500 returned if people try to access it with a default install.)

So, this seems like it is a Win32-only installation issue.  (I agree that Win32 should disable it, too.)
Comment 3 Joshua Slive 2003-04-06 20:30:19 UTC
Not a doc bug.
Comment 4 William A. Rowe Jr. 2018-11-07 21:08:37 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.