Bug 60448 - mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers
Summary: mod_fcgid leaks out Variable- prefixed FcgidAuthenticator response headers
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_fcgid (show other bugs)
Version: 2.4.6
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2016-12-06 17:55 UTC by Aron Ujvari
Modified: 2016-12-06 17:56 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Aron Ujvari 2016-12-06 17:55:18 UTC
mod_fcgid passes "Variable-" prefixed headers, which were received from a FcgidAuthenticator process, to the responder subprocess as environment variable. These headers should not be sent back to the user, since these are just internal data, but mod_fcgid let them through.

mod_fcgid seems to collect response headers in a r->err_headers_out field, including "Variable-" prefixed ones, then mod_fcgid_modify_auth_header function (called by an apr_table_do iterator) stores them in the subprocess environment array. When mod_fcgid_modify_auth_header finds a "Variable-" prefixed header it should remove it from the r->err_headers_out field I presume.
Comment 1 Aron Ujvari 2016-12-06 17:56:11 UTC
mod_fcgid 2.3.9 was tested and leaked out these headers.