envvars from HTTP headers low precedence

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68

Author: covener

server/util_script.c

@@ -126,25 +126,45 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
         }
     }
     for (i = 0; i < env_arr->nelts; ++i) {
+        int changed = 0;
+
         if (!elts[i].key) {
             continue;
         }
         env[j] = apr_pstrcat(p, elts[i].key, "=", elts[i].val, NULL);
         whack = env[j];
         if (apr_isdigit(*whack)) {
             *whack++ = '_';
+            changed = 1;
         }
         while (*whack != '=') {
 #ifdef WIN32
-            if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') {
+            if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') {
 #else
-            if (!apr_isalnum(*whack)) {
+            if (!apr_isalnum(*whack) && *whack != '_') {
 #endif
                 *whack = '_';
+                changed = 1;
             }
             ++whack;
         }
-        ++j;
+        if (changed) {
+            *whack = '\0';
+            /*
+             * If after cleaning up the key the key is identical to an existing key
+             * in the table drop this environment variable. This also prevents
+             * to override CGI reserved environment variables with variables whose
+             * names have an invalid character instead of '_', but are otherwise
+             * equal to the names CGI reserved environment variables.
+             */
+            if (!apr_table_get(t, env[j])) {
+                ++j;
+                *whack = '=';
+            }
+        }
+        else {
+            ++j;
+        }
     }
 
     env[j] = NULL;