[earthboundkid]

Does FastCGI have a history of security bugs due to environment var / header confusion or just regular CGI?

[neopallium]

FastCGI doesn't set environment variables. Only CGI does that since the CGI binary is executed for each request. FastCGI binaries run as a server listening on a unix/tcp socket for connections from the frontend web server. It works the like a webapp listening for http requests on a local socket with reverse http proxy rules setup on the frontend web server.

[jasonjayr]

FastCGI transmits the headers via its protocol socket and doesn't rely on environment variable mechanisms to transmit them.

Some fcgi libraries may convert the headers into Env Vars to make it "easier" for code, but it is not strictly necessary.

[dsign]

Yes, just as CGI.

For example, the HTTP header Proxy may be converted to "HTTP_PROXY" and some application servers may interpret it as the environment variable HTTP_PROXY (I seem to remember HHVM did it). Good servers have measures in place to handle that header, but it can bite you if you are implementing a new server.

[user5994461]

Yes. Both have the same issue since it's the same thing. CGI starts one process per request, FastCGI reuse a process for more requests to improve performance.