Project

General

Profile

Actions

Bug #331

closed

Default pwd of fastcgi scripts can change on every restart

Added by Anonymous about 17 years ago. Updated over 15 years ago.

Status:
Fixed
Priority:
Urgent
Category:
mod_fastcgi
Target version:
-
ASK QUESTIONS IN Forums:

Description

In Lighttpd-1.4.6, the fastcgi pwd defaults to the dir in which the webserver was restarted so it breaks script compatibility with Apache2+mod_fastcgi and creates a perception of bad security.

For example, the following causes pwd in fastcgi scripts to be /:


 cd /
 /etc/init.d/lighttpd restart

This causes several problems:

1. it breaks compatibility with scripts that run fine in Apache2 + mod_fastcgi and Apache2 + mod_fcgid which makes migrating from Apache2 to Lighttpd more troublesome

2. this behavior looks weak/improper to security professionals so it really doesn't matter if this can/will be exploited--the perception of bad security is not desirable in a web server

3. it can cause problems with scripts that are hard to track down. scripts can work fine for months until the webserver is restarted manually from a dir different from prior restarts

Proposed fix:

Make the default pwd of fastcgi scripts be the same dir in which the executed script file is located. If the script is /srv/www/foo/fastcgi/bar.rb, then default pwd should be /srv/www/foo/fastcgi/

Optionally add a directive that allows this to be set inside a config file--but the directive shouldn't be necessary if the aboved proposed fix is the generally accepted standard behavior of all other web servers.

-- rafx

Actions #1

Updated by jan almost 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r926

Actions

Also available in: Atom