chiark / gitweb /
www-cgi: whitelist some more HTTP headers
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 27 Jan 2013 15:26:39 +0000 (15:26 +0000)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 27 Jan 2013 15:26:39 +0000 (15:26 +0000)
debian/changelog
www-cgi/ucgicommon.c

index 16b4566..6f9b1e0 100644 (file)
@@ -1,5 +1,6 @@
 userv-utils (0.5.0) unstable; urgency=low
 
+  * www-cgi: whitelist some more HTTP headers.
   * ipif: Improve documentation comment.
   * ipif: Some portability improvements.
   * Remove .cvsignore files.
index 7111170..4a8749a 100644 (file)
 #include "ucgi.h"
 
 const char *const envok[]= {
+  "AUTH_TYPE",
   "CONTENT_LENGTH",
   "CONTENT_TYPE",
   "DOCUMENT_ROOT",
   "GATEWAY_INTERFACE",
   "HTTP_ACCEPT",
+  "HTTP_ACCEPT_CHARSET",
   "HTTP_ACCEPT_ENCODING",
   "HTTP_ACCEPT_LANGUAGE",
   "HTTP_CACHE_CONTROL",
+  "HTTP_CONNECTION",
+  "HTTP_CONTENT_ENCODING",
   "HTTP_COOKIE",
+  "HTTP_DNT",
   "HTTP_HOST",
+  "HTTP_KEEP_ALIVE",
   "HTTP_NEGOTIATE",
   "HTTP_PRAGMA",
   "HTTP_REFERER",
   "HTTP_USER_AGENT",
+  "HTTP_VIA",
+  "HTTP_X_FORWARDED_FOR",
+  "HTTPS",
   "PATH_INFO",
   "PATH_TRANSLATED",
   "QUERY_STRING",
@@ -47,14 +56,17 @@ const char *const envok[]= {
   "REMOTE_USER",
   "REMOTE_IDENT",
   "REQUEST_METHOD",
+  "REQUEST_URI",
   "SCRIPT_FILENAME",
   "SCRIPT_NAME",
   "SCRIPT_URI",
   "SCRIPT_URL",
+  "SERVER_ADDR",
   "SERVER_ADMIN",
   "SERVER_NAME",
   "SERVER_PORT",
   "SERVER_PROTOCOL",
+  "SERVER_SIGNATURE",
   "SERVER_SOFTWARE",
   0
 };