[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap

Fri Jan 25 02:06:40 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185

            Bug ID: 235185
           Summary: www/fcgiwrap: environment should be cleaned in
                    /usr/local/etc/rc.d/fcgiwrap
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: rodrigo at FreeBSD.org
          Reporter: vas at mpeks.tomsk.su
             Flags: maintainer-feedback?(rodrigo at FreeBSD.org)
          Assignee: rodrigo at FreeBSD.org

It is desirable to clean the environment in /usr/local/etc/rc.d/fcgiwrap before
actually starting the fcgiwrap daemon. Otherwise, when manually
starting/restarting the service from the root account, the whole root's
environment is leaked to CGI scripts. I think it can be even considered a
security issue.

How to reproduce: write a CGI shell script with "printenv" inside, run
"/usr/local/etc/rc.d/fcgiwrap restart" as root, watch the CGI script's output
from the Web server.

Workarond: always remember to use "env -i /usr/local/etc/rc.d/fcgiwrap start"
when (re)starting manually.

-- 
You are receiving this mail because:
You are the assignee for the bug.