0
votes

Steps to reproduce create a bash script to run from FastCGI via NGINX, provide no vars in the URL bar.

Nginx Location:

location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    gzip off;
    autoindex on;
    fastcgi_pass unix:/var/run/fcgiwrap.socket;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
}

Top of the Bash script:

# Save the old internal field separator.
OIFS="$IFS"
# Set the field separator to & and parse the QUERY_STRING at the ampersand.   
IFS="${IFS}&"   
set $QUERY_STRING
Args="$*"  
IFS="$OIFS"

Expected output: Nothing

Actual Output: Note the output has been sanitized

BASH=/bin/bash BASHOPTS="" BASH_ALIASES=""
BASH_ARGC=""
BASH_ARGV="" BASH_CMDS=""
BASH_LINENO=""
BASH_SOURCE=""
BASH_VERSINFO="" BASH_VERSION=""`
CONTENT_LENGTH=""
CONTENT_TYPE=""
DAEMON_OPTS="" DIRSTACK=""
DOCUMENT_ROOT=""
DOCUMENT_URI=""
EUID=""
FCGI_ROLE="" GATEWAY_INTERFACE=""
GROUPS=""
HOME=""
HOSTNAME=""
HOSTTYPE="" HTTPS=""
HTTP_ACCEPT=""
HTTP_ACCEPT_ENCODING="" HTTP_ACCEPT_LANGUAGE=""
HTTP_CONNECTION=""
HTTP_COOKIE=CID="" HTTP_HOST=""
HTTP_UPGRADE_INSECURE_REQUESTS=""
HTTP_USER_AGENT=""
IFS=""
INVOCATION_ID=""
JOURNAL_STREAM=""
LANG=""
LOGNAME="" MACHTYPE=""
OIFS=""
OPTERR=""
OPTIND=""
OSTYPE=""
PATH="" PIPESTATUS=""
PPID=""
PS4=""
PWD=""
QUERY_STRING=""
REDIRECT_STATUS="" REMOTE_ADDR=""
REMOTE_PORT=""
REQUEST_METHOD=""
REQUEST_SCHEME="" REQUEST_URI=""
SCRIPT_FILENAME=""
SCRIPT_NAME=""
SERVER_ADDR="" SERVER_NAME=""
SERVER_PORT=""
SERVER_PROTOCOL=""
SERVER_SOFTWARE="" SHELL=""
SHELLOPTS=""
SHLVL=""
TERM=""
UID=""
USER="" _=""

1

1 Answers

1
votes

I'm not sure what the intent is with the set $QUERY_STRING line, but that's the one that's causing the output. The set builtin in bash will output the environment if it's called without any valid options.