From 7f9209c6d47f421c511bb88b4746ab15592886f4 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 25 Jan 2017 11:26:10 -0500 Subject: [PATCH] [mod_cgi] do not send "Status" back to client "Status" from CGI/1.1 environment should not be sent back to client. Also, do not send "Status" back to client in mod_scgi and more precisely parse for "Status" in mod_fastcgi --- src/mod_cgi.c | 2 ++ src/mod_fastcgi.c | 2 +- src/mod_scgi.c | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/mod_cgi.c b/src/mod_cgi.c index 27f46858..b7145814 100644 --- a/src/mod_cgi.c +++ b/src/mod_cgi.c @@ -352,6 +352,8 @@ static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buff } else { con->http_status = 502; } + /* do not send Status to client */ + buffer_reset(ds->value); } break; case 8: diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c index ec8090ea..ae8bd2c6 100644 --- a/src/mod_fastcgi.c +++ b/src/mod_fastcgi.c @@ -2077,7 +2077,7 @@ static int fcgi_response_parse(server *srv, connection *con, plugin_data *p, buf /* authorizers shouldn't affect the response headers sent back to the client */ /* don't forward Status: */ - if (0 != strncasecmp(key, "Status", key_len)) { + if (key_len != sizeof("Status")-1 || 0 != strncasecmp(key, "Status", key_len)) { data_string *ds; if (NULL == (ds = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) { ds = data_response_init(); diff --git a/src/mod_scgi.c b/src/mod_scgi.c index 63ca577a..6f2ede83 100644 --- a/src/mod_scgi.c +++ b/src/mod_scgi.c @@ -1742,6 +1742,8 @@ static int scgi_response_parse(server *srv, connection *con, plugin_data *p, buf } else { con->http_status = 502; } + /* do not send Status to client */ + buffer_reset(ds->value); } break; case 8: