Re: [analog-help] CGI Error on NT IIS 4

Mon, 25 Oct 1999 15:16:55 -0700 

It's precisely because the CGI command makes Analog "simple to use, 
simple to set up" that I'd prefer to keep it, if there was a simple way 
to resolve the security issues. But I can see that that would involve 
making Analog just a little bit more complicated internally, so sticking 
with the seperate CGI interface may be the best option.

Time to look into the #EXEC directive, perhaps?

Aengus


______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: [analog-help] CGI Error on NT IIS 4
Author:  [EMAIL PROTECTED] at Internet
Date:    10/25/99 4:08 PM


On Fri, 22 Oct 1999, Susan Alderman wrote: 
> 
> I'd vote for removing the CGI command - one of the things that analog 
> has going for it is that it's simple to use, simple to set up.  When 
> you start getting into security issues like this, all of a sudden
> it's NOT simple to use/set up and people are liable to get bitten. 
> 
> (Admit it - how many people out there really read ALL the docs?) 
> 

My point exactly.

Thanks for your comments on this, Susan and others.

My wife pointed out another option: to filter out all potentially-dangerous 
commands given on the command line, if CGI ON was specified. (Or probably, 
just to stop the program if one of those commands had been given, and CGI 
was ON).

I'm sure this could be made to work. However, I still think that the 
neatest, and safest, solution is to remove the command CGI altogether. Then 
all the security issues can be devolved to anlgform.

No-one has yet objected to this proposal. This is your last chance to do so!

-- 
Stephen Turner    [EMAIL PROTECTED]    http://www.statslab.cam.ac.uk/~sret1/
  Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England
  "Due to the conflict in Kosovo, we will not be showing the movie Wag the
   Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless

------------------------------------------------------------------------ 
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED] 
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/ 
------------------------------------------------------------------------
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------

Reply via email to