I've got a problem, and I'm not having much luck working up a solution.
I have a (shoddily written) application server it is my displeasure to have
to work with. Under certain circumstances, it is possible to embed code in
browser supplied information (for example, the user-agent and referer
fields), and have that code executed by the application server with whatever
system and DB privs the app server has been granted. The potential for
problems is, well, obvious.
Since the vendore doesn't regard this as a problem(!!) I'm looking for ways
to sanitise fields passed to the app server by its plug-in, and Apache is a
good place to start.
Unfortunately, while I can use mod_rewrite and SetEnvIf to set environment
variables if dangerous characters are passed in the relevant fields, I can't
see any way of changing the user agent or referer the browser sends.
1/ Looking for something that doesn't exist (ie in for a lot of painful
conversations with the vendor and sitewide code patches).
2/ Thick (ie missing something obvious).
La Cicciolina [...] Electing her was an interesting contrast to the
situation in the UK: In Italy they elect a representative from the sex
industry. In the UK, they elect their clients. -- Peter Gutmann