FCGX_Request* m_req;\r
int m_port;\r
string m_scheme,m_hostname;\r
+ set<string> m_cleared_headers;\r
multimap<string,string> m_response_headers;\r
public:\r
map<string,string> m_request_headers;\r
cerr << "shib: " << msg;\r
}\r
void clearHeader(const char* rawname, const char* cginame) {\r
- // no need, since request headers turn into actual environment variables\r
+ // Need to save off the name to prevent access to the header later.\r
+ m_cleared_headers.insert(rawname);\r
}\r
void setHeader(const char* name, const char* value) {\r
if (value)\r
map<string,string>::const_iterator i = m_request_headers.find(name);\r
if (i != m_request_headers.end())\r
return i->second;\r
- // Nothing set locally, so try the request.\r
+ // If not in the local set, see if it's a "controlled" header by\r
+ // checking the cleared list.\r
+ if (m_cleared_headers.count(name) > 0)\r
+ return "";\r
+ // Nothing set locally and it's safe, so try the request.\r
string hdr("HTTP_");\r
for (; *name; ++name) {\r
if (*name=='-')\r