[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jan 25 11:35:00 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185
--- Comment #8 from Rodney W. Grimes <rgrimes at FreeBSD.org> ---
(In reply to vas from comment #6)
I do not think "at present" that has any effect, as I can not find any place
that service(8) actually does sanatize the environment, but I may of missed it
in my 3 minute scan of that /bin/sh script.
Either way, I do now fully support that the package specific rc.d/fcgiwrap
script should do a env -i when it invokes this binary due to its potential for
being a exfiltration point.
Do note that the author of this program is aware of the fact that it can expose
its environment and actually has an internal blacklist of env variables, so to
me it appears as if the exporting is by design and intentional and the novice
user running printenv in a cgi script started by this program has loaded the
gun and pulled the trigger.
(In reply to vas from comment #7)
Realize that if you sanitize the environment in a generic way in the "foo" init
system you remove the ability of the system admin to use the environment to
effect anything that is started, and that would probably be a larger and
painful problem to solve.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-rc
mailing list