|Summary:||mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers|
|Product:||Apache httpd-2||Reporter:||Aron Ujvari <ujvari>|
|Component:||mod_fcgid||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Aron Ujvari 2016-12-06 17:55:18 UTC
mod_fcgid passes "Variable-" prefixed headers, which were received from a FcgidAuthenticator process, to the responder subprocess as environment variable. These headers should not be sent back to the user, since these are just internal data, but mod_fcgid let them through. mod_fcgid seems to collect response headers in a r->err_headers_out field, including "Variable-" prefixed ones, then mod_fcgid_modify_auth_header function (called by an apr_table_do iterator) stores them in the subprocess environment array. When mod_fcgid_modify_auth_header finds a "Variable-" prefixed header it should remove it from the r->err_headers_out field I presume.
Comment 1 Aron Ujvari 2016-12-06 17:56:11 UTC
mod_fcgid 2.3.9 was tested and leaked out these headers.