Bug 46380

Summary: Apache 2.2.10 and suexec extra argv
Product: Apache httpd-2 Reporter: Russell Rademacher <russ>
Component: mpm_workerAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: major CC: rudy.amid
Priority: P2 Keywords: FixedInTrunk, PatchAvailable
Version: 2.2.10   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: CGI (in perl) that exhibits this issue and includes server info
CGI with shell-as-shebang that does not suffer from this bug
don't set args if there are none

Description Russell Rademacher 2008-12-11 04:38:18 UTC
With the recent apache 2.2.10 update, @ARGV is being populated with an extra
empty argument.  Here is an example from straces of what httpd is trying to
run:

strace of process calling suexec with apache 2.2.10

[pid 18070] execve("/usr/local/apache/bin/suexec",
["/usr/local/apache/bin/suexec", "2057", "2051",
"rick.pl", ""], [/* 24 vars */]) = 0

same in apache 2.2.9

[pid 21364] execve("/usr/local/apache/bin/suexec",
["/usr/local/apache/bin/suexec", "2057", "2051",
"rick.pl"], [/* 24 vars */]) = 0


you'll notice in the 2.2.10 example, there is an empty arg being passed.  This
can easily be duplicated on any apache 2.2.10 server.

   This only occurs with MPM_Worker enabled on the server. It don't appear in MPM_Prefork for this in default setting.
Comment 1 Ruediger Pluem 2008-12-11 12:10:45 UTC
Please provide the URL that was used calling your perl script including the arguments.
Comment 2 Russell Rademacher 2008-12-11 20:50:14 UTC
http://xpthemetest.com/cgi-bin/test.cgi


This is the code for the script:

---------------------
#!/usr/bin/perl

print "Content-Type: text/html\n\n";
print "Argument count: $#ARGV<br>\n";
for ($i = 0; $i <= $#ARGV; $i++){
   print "Argument $i is: ";
   print @ARGV[$i];
   print "<br>\n";
}
1;
---------------------

prior to 2.2.10, it would return:

Argument count: -1
Comment 3 Ruediger Pluem 2008-12-12 06:22:55 UTC
Can you please try if the following patch fixes your issue?

Index: modules/generators/mod_cgid.c
===================================================================
--- modules/generators/mod_cgid.c       (revision 726007)
+++ modules/generators/mod_cgid.c       (working copy)
@@ -201,7 +201,7 @@
     char *w;
     int idx = 0;

-    if (ap_strchr_c(args, '=')) {
+    if (!(*args) || ap_strchr_c(args, '=')) {
         numwords = 0;
     }
     else {
Comment 4 Russell Rademacher 2008-12-14 16:23:52 UTC
If there is a query string, either ?param=value or ?arg+arg+arg, no extra item is added.

The problem also seem sdependent on the shebang line, for example out of these two scripts the /bin/bash one does not have a spurious argument, The /usr/bin/perl one does.


Comment 5 Dan Muey 2008-12-14 16:59:34 UTC
Created attachment 23019 [details]
CGI (in perl) that exhibits this issue and includes server info
Comment 6 Dan Muey 2008-12-14 17:00:10 UTC
Created attachment 23020 [details]
CGI with shell-as-shebang that does not suffer from this bug
Comment 7 Dan Muey 2008-12-14 17:02:13 UTC
(In reply to comment #3)
> Can you please try if the following patch fixes your issue?
> 
> Index: modules/generators/mod_cgid.c
> ===================================================================
> --- modules/generators/mod_cgid.c       (revision 726007)
> +++ modules/generators/mod_cgid.c       (working copy)
> @@ -201,7 +201,7 @@
>      char *w;
>      int idx = 0;
> 
> -    if (ap_strchr_c(args, '=')) {
> +    if (!(*args) || ap_strchr_c(args, '=')) {
>          numwords = 0;
>      }
>      else {

Unfortunately that did not resolve it.

This was my configure line:

./configure --disable-authn-default --enable-expires --enable-headers --enable-info --enable-logio --enable-rewrite --enable-ssl --enable-suexec --enable-unique-id --prefix=/usr/local/apache --with-included-apr --with-mpm=worker --with-ssl=/usr --with-suexec-caller=nobody --with-suexec-docroot=/ --with-suexec-gidmin=100 --with-suexec-logfile=/usr/local/apache/logs/suexec_log --with-suexec-uidmin=100 --with-suexec-userdir=public_html
Comment 8 Dan Muey 2008-12-14 18:02:59 UTC
(In reply to comment #7)
> (In reply to comment #3)
> > Can you please try if the following patch fixes your issue?
> > 
> > Index: modules/generators/mod_cgid.c
> > ===================================================================
> > --- modules/generators/mod_cgid.c       (revision 726007)
> > +++ modules/generators/mod_cgid.c       (working copy)
> > @@ -201,7 +201,7 @@
> >      char *w;
> >      int idx = 0;
> > 
> > -    if (ap_strchr_c(args, '=')) {
> > +    if (!(*args) || ap_strchr_c(args, '=')) {
> >          numwords = 0;
> >      }
> >      else {
> 
> Unfortunately that did not resolve it.

I take that back, it *does* resolve it :) I'll have to look into why it didn't seem to work before.
Comment 9 Dan Muey 2008-12-14 18:59:22 UTC
Created attachment 23021 [details]
don't set args if there are none

Redoing it with a make clean first and ensuring the patch is applied, definitely works.

We've apply this patch now in our EasyApache building system.

Thanks for your assistance with that, looking forward to it being part of the core :)

Thanks again!
Comment 10 Ruediger Pluem 2008-12-14 23:48:03 UTC
Committed to trunk as r726636.
Comment 11 Ruediger Pluem 2009-01-22 13:10:30 UTC
*** Bug 46530 has been marked as a duplicate of this bug. ***
Comment 12 Ruediger Pluem 2009-08-02 12:31:26 UTC
Proposed for backport as r800136.
Comment 13 Ruediger Pluem 2009-08-03 07:39:02 UTC
Backported to 2.2.x as r800410.