From c09368cc8887c1dea562def6c77668bc77ac4374 Mon Sep 17 00:00:00 2001
From: Brian Pane <brianp@apache.org>
Date: Sun, 26 May 2002 08:27:10 +0000
Subject: [PATCH] Fix for suexec execution of CGI scripts from mod_include
 (including security patch to ensure that <!--#include file="name.cgi"--> is
 run as the suexec user rather than the httpd user) PR: 7791, 8291 Submitted
 by: Colm MacCarthaigh <colmmacc@redbrick.dcu.ie> Reviewed by:	Brian Pane

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95290 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       |  3 +++
 modules/filters/mod_include.c |  2 +-
 os/unix/unixd.c               | 15 ++++++++++++---
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0861f4b4fb4..eb03edb17f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.37
 
+  *) Fix suexec execution of CGI scripts from mod_include.
+     PR 7791, 8291  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
+
   *) Fix segfaults at startup on some platforms when mod_auth_digest,
      mod_suexec, or mod_ssl were used as DSO's due to the way they
      were tracking the current init phase since DSO's get completely
diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index 264e8ad1e65..4edf13aeec5 100644
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -1263,7 +1263,7 @@ static int handle_include(include_ctx_t *ctx, apr_bucket_brigade **bb,
                                     "in parsed file %s";
                     }
                     else {
-                        rr = ap_sub_req_lookup_file(parsed_string, r, f->next);
+                        rr = ap_sub_req_lookup_uri(parsed_string, r, f->next);
                     }
                 }
                 else {
diff --git a/os/unix/unixd.c b/os/unix/unixd.c
index c854a397160..c21868e3885 100644
--- a/os/unix/unixd.c
+++ b/os/unix/unixd.c
@@ -350,16 +350,25 @@ static apr_status_t ap_unix_create_privileged_process(
 	    }
     }
     /* allocate space for 4 new args, the input args, and a null terminator */
-    newargs = apr_palloc(p, sizeof(char *) * (i + 5));
+    newargs = apr_palloc(p, sizeof(char *) * (i + 4));
     newprogname = SUEXEC_BIN;
     newargs[0] = SUEXEC_BIN;
     newargs[1] = execuser;
     newargs[2] = execgroup;
     newargs[3] = apr_pstrdup(p, progname);
 
-    i = 0;
+    /*
+    ** using a shell to execute suexec makes no sense thus
+    ** we force everything to be APR_PROGRAM, and never
+    ** APR_SHELLCMD
+    */
+    if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
+        return APR_EGENERAL;
+    }
+
+    i = 1;
     do {
-        newargs[i + 4] = args[i];
+        newargs[i + 3] = args[i];
     } while (args[i++]);
 
     return apr_proc_create(newproc, newprogname, newargs, env, attr, p);
-- 
2.47.2