Lighttpd

In Lighttpd-1.4.6, the fastcgi pwd defaults to the dir in which the webserver was restarted so it breaks script compatibility with Apache2+mod_fastcgi and creates a perception of bad security.

For example, the following causes pwd in fastcgi scripts to be /:

 cd /
 /etc/init.d/lighttpd restart

This causes several problems:

1. it breaks compatibility with scripts that run fine in Apache2 + mod_fastcgi and Apache2 + mod_fcgid which makes migrating from Apache2 to Lighttpd more troublesome

2. this behavior looks weak/improper to security professionals so it really doesn't matter if this can/will be exploited--the perception of bad security is not desirable in a web server

3. it can cause problems with scripts that are hard to track down. scripts can work fine for months until the webserver is restarted manually from a dir different from prior restarts

Proposed fix:

Make the default pwd of fastcgi scripts be the same dir in which the executed script file is located. If the script is /srv/www/foo/fastcgi/bar.rb, then default pwd should be /srv/www/foo/fastcgi/

Optionally add a directive that allows this to be set inside a config file--but the directive shouldn't be necessary if the aboved proposed fix is the generally accepted standard behavior of all other web servers.

-- rafx