| 172 | } |
| 173 | |
| 174 | AP_DECLARE(void) ap_add_common_vars(request_rec *r) |
| 175 | { |
| 176 | apr_table_t *e; |
| 177 | server_rec *s = r->server; |
| 178 | conn_rec *c = r->connection; |
| 179 | core_dir_config *conf = |
| 180 | (core_dir_config *)ap_get_core_module_config(r->per_dir_config); |
| 181 | const char *env_temp; |
| 182 | const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in); |
| 183 | const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts; |
| 184 | int i; |
| 185 | apr_port_t rport; |
| 186 | char *q; |
| 187 | |
| 188 | /* use a temporary apr_table_t which we'll overlap onto |
| 189 | * r->subprocess_env later |
| 190 | * (exception: if r->subprocess_env is empty at the start, |
| 191 | * write directly into it) |
| 192 | */ |
| 193 | if (apr_is_empty_table(r->subprocess_env)) { |
| 194 | e = r->subprocess_env; |
| 195 | } |
| 196 | else { |
| 197 | e = apr_table_make(r->pool, 25 + hdrs_arr->nelts); |
| 198 | } |
| 199 | |
| 200 | /* First, add environment vars from headers... this is as per |
| 201 | * CGI specs, though other sorts of scripting interfaces see |
| 202 | * the same vars... |
| 203 | */ |
| 204 | |
| 205 | for (i = 0; i < hdrs_arr->nelts; ++i) { |
| 206 | if (!hdrs[i].key) { |
| 207 | continue; |
| 208 | } |
| 209 | |
| 210 | /* A few headers are special cased --- Authorization to prevent |
| 211 | * rogue scripts from capturing passwords; content-type and -length |
| 212 | * for no particular reason. |
| 213 | */ |
| 214 | |
| 215 | if (!ap_cstr_casecmp(hdrs[i].key, "Content-type")) { |
| 216 | apr_table_addn(e, "CONTENT_TYPE", hdrs[i].val); |
| 217 | } |
| 218 | else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) { |
| 219 | apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
| 220 | } |
| 221 | /* HTTP_PROXY collides with a popular envvar used to configure |
| 222 | * proxies, don't let clients set/override it. But, if you must... |
| 223 | */ |
| 224 | #ifndef SECURITY_HOLE_PASS_PROXY |
| 225 | else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) { |
| 226 | ; |
| 227 | } |
| 228 | #endif |
| 229 | /* |
| 230 | * You really don't want to disable this check, since it leaves you |
| 231 | * wide open to CGIs stealing passwords and people viewing them |
no test coverage detected