From: Joe Orton Date: Mon, 22 Dec 2025 11:14:06 +0000 (+0000) Subject: * test/modules/core: Adds regression test for CGI env var override X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f718bc37e86fc6f65d64e367d5c1103a1e520687;p=thirdparty%2Fapache%2Fhttpd.git * test/modules/core: Adds regression test for CGI env var override Submitted by: Giannis Christodoulou Github: closes #589 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930794 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/test/modules/core/htdocs/cgi/env_parameters.py b/test/modules/core/htdocs/cgi/env_parameters.py new file mode 100644 index 00000000000..c08d1b6990d --- /dev/null +++ b/test/modules/core/htdocs/cgi/env_parameters.py @@ -0,0 +1,14 @@ +#!/usr/bin/env python3 + +import os +import json + +print("Content-Type: application/json") +print() + +data = { + "REQUEST_METHOD": os.getenv("REQUEST_METHOD", ""), + "QUERY_STRING": os.getenv("QUERY_STRING", ""), +} + +print(json.dumps(data, indent=2)) diff --git a/test/modules/core/test_003_cgi_env_vars.py b/test/modules/core/test_003_cgi_env_vars.py new file mode 100644 index 00000000000..f82a5c3764e --- /dev/null +++ b/test/modules/core/test_003_cgi_env_vars.py @@ -0,0 +1,33 @@ +import pytest + +from pyhttpd.conf import HttpdConf + +class TestCGIEnvVars: + + @pytest.fixture(autouse=True, scope='class') + def _class_scope(self, env): + conf = HttpdConf(env, extras={ + 'base': f""" + + AllowOverride None + Options +ExecCGI + + SetEnv REQUEST-METHOD OVERRIDDEN + SetEnv QUERY.STRING OVERRIDDEN + """, + }) + conf.add_vhost_cgi() + conf.install() + assert env.apache_restart() == 0 + + def test_cgi_003_01(self, env): + """ + CVE-2025-65082: + Configuration-defined env vars must not override + server-calculated CGI env vars. + """ + url = env.mkurl("http", "cgi", "/env_parameters.py?x=123") + r = env.curl_get(url) + assert r.response["status"] == 200 + assert r.response["json"]["REQUEST_METHOD"] == "GET" + assert r.response["json"]["QUERY_STRING"] == "x=123"