[FASTCGI] FastCGI with Oracle

Rob Lemley rclemley at booksys.com
Tue Dec 8 12:34:07 EST 2009


I don't think there's any FastCGI-related problem modifying the
environment if the program uses only fcgiapp.h.

I've seen many warnings to leave the environment alone when using
FCGI_Accept() from fcgi_stdio.

http://www.fastcgi.com/devkit/doc/FCGI_Accept.3

http://www.fastcgi.com/om_archive/mail-archive/0019.html


Tom Bowden wrote:
> But in either case (and this is just for clarification) - do they
> recommend that you not use setenv()?  
>
> Tom
>
> On Dec 8, 2009, at 10:37 AM, Rob Lemley wrote:
>
>> *fcgiapp.h:* FCG*X*_Accept() and FCG*X*_Accept_r() do not touch the
>> global environment (extern char **environ).
>> *fcgi_stdio.h:* FCG*I*_Accept() resets the environment.
>>
>> *fcgiapp.h*  the direct API to fastcgi.  Does not touch the global
>> environment.
>>
>> *fcgi_stdio.h*   an even higher level interface that should make it
>> easier to convert existing CGI programs to FastCGI.  As Gordon said,
>> "much like a regular CGI application".  This interface is implemented
>> "on top of" fcgiapp.h.
>>
>> Rob
>>
>>
>> Gordon Colburn wrote:
>>>
>>> I recently ran into this issue using static fast CGI servers with
>>> mod_fastcgi. Tom is correct; FCGI_accept resets the environment each
>>> time it is called. Any environment variables that are set using the
>>> -initial-env parameter of the FastCgiServer directive will be
>>> available in the environment when the application is first started,
>>> but once FCGI_accept is called they will no longer be available. I
>>> think the reason this is done is that mod_fastcgi passes request
>>> specific information in the environment much like a regular CGI
>>> application does and to do this it resets the environment each time
>>> FCGI_accept is called.
>>>
>>>  
>>>
>>> ------------------------------------------------------------------------
>>>
>>> *From:*
>>> fastcgi-developers-bounces+gordon=group309.com at mailman.fastcgi.com
>>> [mailto:fastcgi-developers-bounces+gordon=group309.com at mailman.fastcgi.com]
>>> *On Behalf Of *A. M. ArunKumar
>>> *Sent:* Monday, December 07, 2009 11:29 PM
>>> *To:* 'Tom Bowden'; 'Rob Lemley'; '??'
>>> *Cc:* darren.garvey at gmail.com; fastcgi-developers at mailman.pins.net
>>> *Subject:* Re: [FASTCGI] FastCGI with Oracle
>>>
>>>  
>>>
>>> I understand the security risk explained.
>>>
>>>  
>>>
>>> Well mine is FastCGI application started through apache ExecCGI
>>> system. 
>>>
>>>  
>>>
>>> I have to lookup how to setup the application as FastCGI internal
>>> application.  Let me try and get back to you all
>>>
>>>  
>>>
>>> Thanks
>>>
>>> Arun
>>>
>>> ------------------------------------------------------------------------
>>>
>>> *From:* Tom Bowden [mailto:charles_thomas at mac.com]
>>> *Sent:* Monday, December 07, 2009 11:55 PM
>>> *To:* Rob Lemley
>>> *Cc:* darren.garvey at gmail.com; A. M. ArunKumar;
>>> fastcgi-developers at mailman.pins.net
>>> *Subject:* Re: [FASTCGI] FastCGI with Oracle
>>>
>>>  
>>>
>>> I am trying to remember where I read this in the fastcgi/fastcgx
>>> documentation -- but somewhere they recommend not using setenv
>>> within the accept loop.  Perhaps each iteration of
>>> FCGII_Accept/FCGIX_Accept it clears and resets?
>>>
>>> It's a real security risk (IMHO).... an old hacker trick is to
>>> modify the path (for example) to point to your own version of a sh
>>> (sushi, etc).
>>>
>>>  
>>>
>>> I've only used mod_fcgid -- with AddHandler -- and its (still)
>>> confusing me.  
>>>
>>>  
>>>
>>>  
>>>
>>> Tom
>>>
>>>  
>>>
>>> On Dec 7, 2009, at 11:47 AM, Rob Lemley wrote:
>>>
>>>  
>>>
>>> Darren Garvey wrote:
>>>
>>> 2009/12/4 A. M. ArunKumar <arun at eagle-india.com
>>> <mailto:arun at eagle-india.com>>
>>>
>>> The solution which you gave has helped me.  But its not after accept
>>> its before that. we need to set it back in the C++ program.  I used
>>> the setenv function in c++ and now its connecting to oracle.
>>>
>>> Is this how it is supposed to happen? I don't see why the FastCGI
>>> library should clear environment variables for the whole application...
>>>
>>>
>>> We really can't tell what is happening because we need to know more
>>> about how A.M. ArunKumar is starting the fastcgi server app.   I
>>> think he's using the apache mod_fastcgi but we don't know if it's
>>> external FastCGI, internal FastCGI, or FastCGI started through the
>>> apache ExecCGI system.
>>>
>>> I know from experience that the mod_fastcgi FastCgiServer directive
>>> (ie "internal" fastcgi server) with the "-initial-env name=[value]"
>>> option passes the values into the specified application which is
>>> started by the mod_fastcgi process manager.
>>>
>>> So from that, I assume that ArunKumar is NOT running an "internal"
>>> fastcgi server via the FastCgiServer directive.
>>>
>>> ArunKumar, can you give us more details about how you're
>>> initializing/executing/starting your FastCGI server C++ app?
>>>
>>> If you're running it as a "FastCgiExternalServer" and starting via
>>> some other means (such as init scripts, daemontools, or the windows
>>> service manager), then it's true, the environment variables will not
>>> be passed through the FastCGI connection to the external fastcgi
>>> server app.  The only thing I know of like this is the
>>> FastCgiExternalServer "-pass-header" option, which I'm thinking
>>> would pass the headers only upon receipt of a request from the client.
>>>
>>> I haven't worked with the apache "SetHandler" and "AddHandler"
>>> directives to know how environment variables work with those.
>>>
>>> Rob
>>>
>>> _______________________________________________
>>>
>>> FastCGI-developers mailing list
>>>
>>> FastCGI-developers at mailman.fastcgi.com
>>> <mailto:FastCGI-developers at mailman.fastcgi.com>
>>>
>>> http://mailman.pins.net/mailman/listinfo.cgi/fastcgi-developers
>>>
>>>  
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.pins.net/mailman/private.cgi/fastcgi-developers/attachments/20091208/05d2fb95/attachment-0001.html>


More information about the FastCGI-developers mailing list