From: Brian Pane <brianp@apache.org>
Date: Sun, 26 May 2002 08:27:10 +0000 (+0000)
Subject: Fix for suexec execution of CGI scripts from mod_include
X-Git-Tag: 2.0.37~258
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c09368cc8887c1dea562def6c77668bc77ac4374;p=apache

Fix for suexec execution of CGI scripts from mod_include
(including security patch to ensure that <!--#include file="name.cgi"-->
is run as the suexec user rather than the httpd user)
PR: 7791, 8291
Submitted by: Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>
Reviewed by:	Brian Pane


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95290 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 0861f4b4fb..eb03edb17f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.37
 
+  *) Fix suexec execution of CGI scripts from mod_include.
+     PR 7791, 8291  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
+
   *) Fix segfaults at startup on some platforms when mod_auth_digest,
      mod_suexec, or mod_ssl were used as DSO's due to the way they
      were tracking the current init phase since DSO's get completely
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 264e8ad1e6..4edf13aeec 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -1263,7 +1263,7 @@ static int handle_include(include_ctx_t *ctx, apr_bucket_brigade **bb,
                                     "in parsed file %s";
                     }
                     else {
-                        rr = ap_sub_req_lookup_file(parsed_string, r, f->next);
+                        rr = ap_sub_req_lookup_uri(parsed_string, r, f->next);
                     }
                 }
                 else {
diff --git a/os/unix/unixd.c b/os/unix/unixd.c
index c854a39716..c21868e388 100644
--- a/os/unix/unixd.c
+++ b/os/unix/unixd.c
@@ -350,16 +350,25 @@ static apr_status_t ap_unix_create_privileged_process(
 	    }
     }
     /* allocate space for 4 new args, the input args, and a null terminator */
-    newargs = apr_palloc(p, sizeof(char *) * (i + 5));
+    newargs = apr_palloc(p, sizeof(char *) * (i + 4));
     newprogname = SUEXEC_BIN;
     newargs[0] = SUEXEC_BIN;
     newargs[1] = execuser;
     newargs[2] = execgroup;
     newargs[3] = apr_pstrdup(p, progname);
 
-    i = 0;
+    /*
+    ** using a shell to execute suexec makes no sense thus
+    ** we force everything to be APR_PROGRAM, and never
+    ** APR_SHELLCMD
+    */
+    if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
+        return APR_EGENERAL;
+    }
+
+    i = 1;
     do {
-        newargs[i + 4] = args[i];
+        newargs[i + 3] = args[i];
     } while (args[i++]);
 
     return apr_proc_create(newproc, newprogname, newargs, env, attr, p);