Bug 60448

Summary: mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers
Product: Apache httpd-2 Reporter: Aron Ujvari <ujvari>
Component: mod_fcgidAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.6   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Aron Ujvari 2016-12-06 17:55:18 UTC
mod_fcgid passes "Variable-" prefixed headers, which were received from a FcgidAuthenticator process, to the responder subprocess as environment variable. These headers should not be sent back to the user, since these are just internal data, but mod_fcgid let them through.

mod_fcgid seems to collect response headers in a r->err_headers_out field, including "Variable-" prefixed ones, then mod_fcgid_modify_auth_header function (called by an apr_table_do iterator) stores them in the subprocess environment array. When mod_fcgid_modify_auth_header finds a "Variable-" prefixed header it should remove it from the r->err_headers_out field I presume.
Comment 1 Aron Ujvari 2016-12-06 17:56:11 UTC
mod_fcgid 2.3.9 was tested and leaked out these headers.