Bug 60249 - SetEnv, PassEnv, etc accept '=' in variable names
Summary: SetEnv, PassEnv, etc accept '=' in variable names
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_env (show other bugs)
Version: 2.5-HEAD
Hardware: PC Mac OS X 10.4
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2016-10-13 12:33 UTC by Dave Mayo
Modified: 2017-06-25 12:46 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Mayo 2016-10-13 12:33:11 UTC
In various functions, a config such as:

SetEnv MY_ENV_VAR=blah

can be passed to mod_env, which is silently accepted as the single-argument form of the directive.

We've had multiple incidents where I work of people providing config of this form; generally due to copying them from shell env var statements or mistakenly using shell-style env assignment out of habit.  Since '=' is invalid in Env var names across platforms and in relevant RFCs, it seems like this should signal an error (apologies if it does already, but I haven't been able to find where it does/would) 

I've had trouble finding what proper error-handling is in Apache files, so I don't want to suggest any particular behavior, but whatever error handling generally is in such places should be applied in cases where this happens.
Comment 1 Christophe JAILLET 2017-05-19 20:53:10 UTC
Fixed in trunk in r1795635.

I have added a warning when the configuration file is parsed.
Comment 2 Eric Covener 2017-06-25 12:46:41 UTC
Produces warnings in 2.4.26