Bug 46380 - Apache 2.2.10 and suexec extra argv
Summary: Apache 2.2.10 and suexec extra argv
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mpm_worker (show other bugs)
Version: 2.2.10
Hardware: PC Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
: 46530 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-12-11 04:38 UTC by Russell Rademacher
Modified: 2009-08-03 07:39 UTC (History)
1 user (show)


Attachments
CGI (in perl) that exhibits this issue and includes server info (217 bytes, text/plain)
2008-12-14 16:59 UTC, Dan Muey 		Details
CGI with shell-as-shebang that does not suffer from this bug (194 bytes, text/plain)
2008-12-14 17:00 UTC, Dan Muey 		Details
don't set args if there are none (347 bytes, patch)
2008-12-14 18:59 UTC, Dan Muey 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Russell Rademacher 2008-12-11 04:38:18 UTC 
With the recent apache 2.2.10 update, @ARGV is being populated with an extra
empty argument.  Here is an example from straces of what httpd is trying to
run:

strace of process calling suexec with apache 2.2.10

[pid 18070] execve("/usr/local/apache/bin/suexec",
["/usr/local/apache/bin/suexec", "2057", "2051",
"rick.pl", ""], [/* 24 vars */]) = 0

same in apache 2.2.9

[pid 21364] execve("/usr/local/apache/bin/suexec",
["/usr/local/apache/bin/suexec", "2057", "2051",
"rick.pl"], [/* 24 vars */]) = 0


you'll notice in the 2.2.10 example, there is an empty arg being passed.  This
can easily be duplicated on any apache 2.2.10 server.

   This only occurs with MPM_Worker enabled on the server. It don't appear in MPM_Prefork for this in default setting.
Comment 1 Ruediger Pluem 2008-12-11 12:10:45 UTC 
Please provide the URL that was used calling your perl script including the arguments.
Comment 2 Russell Rademacher 2008-12-11 20:50:14 UTC 
http://xpthemetest.com/cgi-bin/test.cgi


This is the code for the script:

---------------------
#!/usr/bin/perl

print "Content-Type: text/html\n\n";
print "Argument count: $#ARGV<br>\n";
for ($i = 0; $i <= $#ARGV; $i++){
   print "Argument $i is: ";
   print @ARGV[$i];
   print "<br>\n";
}
1;
---------------------

prior to 2.2.10, it would return:

Argument count: -1
Comment 3 Ruediger Pluem 2008-12-12 06:22:55 UTC 
Can you please try if the following patch fixes your issue?

Index: modules/generators/mod_cgid.c
===================================================================
--- modules/generators/mod_cgid.c       (revision 726007)
+++ modules/generators/mod_cgid.c       (working copy)
@@ -201,7 +201,7 @@
     char *w;
     int idx = 0;

-    if (ap_strchr_c(args, '=')) {
+    if (!(*args) || ap_strchr_c(args, '=')) {
         numwords = 0;
     }
     else {
Comment 4 Russell Rademacher 2008-12-14 16:23:52 UTC 
If there is a query string, either ?param=value or ?arg+arg+arg, no extra item is added.

The problem also seem sdependent on the shebang line, for example out of these two scripts the /bin/bash one does not have a spurious argument, The /usr/bin/perl one does.
Comment 5 Dan Muey 2008-12-14 16:59:34 UTC 
Created attachment 23019 [details]
CGI (in perl) that exhibits this issue and includes server info
Comment 6 Dan Muey 2008-12-14 17:00:10 UTC 
Created attachment 23020 [details]
CGI with shell-as-shebang that does not suffer from this bug
Comment 7 Dan Muey 2008-12-14 17:02:13 UTC 
(In reply to comment #3)
> Can you please try if the following patch fixes your issue?
> 
> Index: modules/generators/mod_cgid.c
> ===================================================================
> --- modules/generators/mod_cgid.c       (revision 726007)
> +++ modules/generators/mod_cgid.c       (working copy)
> @@ -201,7 +201,7 @@
>      char *w;
>      int idx = 0;
> 
> -    if (ap_strchr_c(args, '=')) {
> +    if (!(*args) || ap_strchr_c(args, '=')) {
>          numwords = 0;
>      }
>      else {

Unfortunately that did not resolve it.

This was my configure line:

./configure --disable-authn-default --enable-expires --enable-headers --enable-info --enable-logio --enable-rewrite --enable-ssl --enable-suexec --enable-unique-id --prefix=/usr/local/apache --with-included-apr --with-mpm=worker --with-ssl=/usr --with-suexec-caller=nobody --with-suexec-docroot=/ --with-suexec-gidmin=100 --with-suexec-logfile=/usr/local/apache/logs/suexec_log --with-suexec-uidmin=100 --with-suexec-userdir=public_html
Comment 8 Dan Muey 2008-12-14 18:02:59 UTC 
(In reply to comment #7)
> (In reply to comment #3)
> > Can you please try if the following patch fixes your issue?
> > 
> > Index: modules/generators/mod_cgid.c
> > ===================================================================
> > --- modules/generators/mod_cgid.c       (revision 726007)
> > +++ modules/generators/mod_cgid.c       (working copy)
> > @@ -201,7 +201,7 @@
> >      char *w;
> >      int idx = 0;
> > 
> > -    if (ap_strchr_c(args, '=')) {
> > +    if (!(*args) || ap_strchr_c(args, '=')) {
> >          numwords = 0;
> >      }
> >      else {
> 
> Unfortunately that did not resolve it.

I take that back, it *does* resolve it :) I'll have to look into why it didn't seem to work before.
Comment 9 Dan Muey 2008-12-14 18:59:22 UTC 
Created attachment 23021 [details]
don't set args if there are none

Redoing it with a make clean first and ensuring the patch is applied, definitely works.

We've apply this patch now in our EasyApache building system.

Thanks for your assistance with that, looking forward to it being part of the core :)

Thanks again!
Comment 10 Ruediger Pluem 2008-12-14 23:48:03 UTC 
Committed to trunk as r726636.
Comment 11 Ruediger Pluem 2009-01-22 13:10:30 UTC 
*** Bug 46530 has been marked as a duplicate of this bug. ***
Comment 12 Ruediger Pluem 2009-08-02 12:31:26 UTC 
Proposed for backport as r800136.
Comment 13 Ruediger Pluem 2009-08-03 07:39:02 UTC 
Backported to 2.2.x as r800410.