Your message dated Thu, 06 Oct 2005 00:02:09 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#330663: fixed in dwww 1.9.26
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Sep 2005 03:28:37 +0000
>From [EMAIL PROTECTED] Wed Sep 28 20:28:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from vms040pub.verizon.net [206.46.252.40]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EKp65-000251-00; Wed, 28 Sep 2005 20:28:37 -0700
Received: from esau.martinhouse.internal ([70.106.104.233])
by vms040.mailsrvcs.net
(Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004))
with ESMTPA id <[EMAIL PROTECTED]> for
[EMAIL PROTECTED]; Wed, 28 Sep 2005 22:28:36 -0500 (CDT)
Received: from martind by esau.martinhouse.internal with local
(Exim 3.36 #1 (Debian)) id 1EKe25-0001Nh-00; Wed, 28 Sep 2005 11:39:45
-0400
Date: Wed, 28 Sep 2005 11:39:44 -0400
From: Daniel Martin <[EMAIL PROTECTED]>
Subject: /usr/lib/cgi-bin/dwww fails with "Insecure $ENV{IFS}" error
Sender: Daniel Martin <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
X-Mailer: reportbug 3.15
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: dwww
Version: 1.9.24
Severity: important
Tags: patch
When getting /cgi-bin/dwww?type=dir&location=/usr/share/doc on my
machine, my web browser gives me the following error:
Insecure $ENV{IFS} while running with -T switch at /usr/lib/cgi-bin/dwww
line 73.
HTTP/1.1 200 OK
I believe that this is not seen when using more full-featured http
daemons that clean the environment before running cgi scripts. However,
my machine is running bozohttpd.
Here's a simple patch against /usr/lib/cgi-bin/dwww that fixes this
problem, and any other potentially insecure environment settings:
15a16,17
> %inenv = %ENV;
> %ENV = ();
60c62
< local $port = defined $ENV{'SERVER_PORT'} ? ':' . $ENV{'SERVER_PORT'} :
'';
---
> local $port = defined $inenv{'SERVER_PORT'} ? ':' .
> $inenv{'SERVER_PORT'} : '';
62c64
< print "Location: http://$ENV{'SERVER_NAME'}$port/dwww/\n\n";
---
> print "Location: http://$inenv{'SERVER_NAME'}$port/dwww/\n\n";
87,88c89,90
< if ($ENV{'REQUEST_METHOD'} eq "GET") { # a GET -- data in encoded string
< $in = $ENV{'QUERY_STRING'};
---
> if ($inenv{'REQUEST_METHOD'} eq "GET") { # a GET -- data in encoded
> string
> $in = $inenv{'QUERY_STRING'};
90,91c92,93
< elsif ($ENV{'REQUEST_METHOD'} eq "POST") { # a POST -- data in variables
< for ($i = 0; $i < $ENV{'CONTENT_LENGTH'}; $i++) {
---
> elsif ($inenv{'REQUEST_METHOD'} eq "POST") { # a POST -- data in
> variables
> for ($i = 0; $i < $inenv{'CONTENT_LENGTH'}; $i++) {
95,96c97,98
< elsif ($ENV{'REQUEST_METHOD'} eq "HEAD") {
< $in = $ENV{'QUERY_STRING'};
---
> elsif ($inenv{'REQUEST_METHOD'} eq "HEAD") {
> $in = $inenv{'QUERY_STRING'};
-- System Information:
Debian Release: testing/unstable
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'testing')
Architecture: i386 (i586)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.9-mppe
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages dwww depends on:
ii bozohttpd [httpd-cgi] 20050410-1 Bozotic HTTP server
ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii debianutils 2.14.1 Miscellaneous utilities specific t
ii doc-base 0.7.18-0.1 utilities to manage online documen
ii file 4.12-1 Determines file type using "magic"
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii man-db 2.4.3-1 The on-line manual pager
ii menu 2.1.25 generates programs menu for all me
ii perl 5.8.7-3 Larry Wall's Practical Extraction
ii realpath 1.9.24 Return the canonicalized absolute
Versions of packages dwww recommends:
ii apt 0.5.28.6 Advanced front-end for dpkg
ii dlocate 0.5-0.1 fast alternative to dpkg -L and dp
ii info2www 1.2.2.9-23 Read info files with a WWW browser
---------------------------------------
Received: (at 330663-close) by bugs.debian.org; 6 Oct 2005 07:12:12 +0000
>From [EMAIL PROTECTED] Thu Oct 06 00:12:12 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1ENPlZ-0001TJ-00; Thu, 06 Oct 2005 00:02:09 -0700
From: Robert Luberda <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#330663: fixed in dwww 1.9.26
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 06 Oct 2005 00:02:09 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: dwww
Source-Version: 1.9.26
We believe that the bug you reported is fixed in the latest version of
dwww, which is due to be installed in the Debian FTP archive:
dwww_1.9.26.dsc
to pool/main/d/dwww/dwww_1.9.26.dsc
dwww_1.9.26.tar.gz
to pool/main/d/dwww/dwww_1.9.26.tar.gz
dwww_1.9.26_i386.deb
to pool/main/d/dwww/dwww_1.9.26_i386.deb
realpath_1.9.26_i386.deb
to pool/main/d/dwww/realpath_1.9.26_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <[EMAIL PROTECTED]> (supplier of updated dwww package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 5 Oct 2005 22:06:41 +0200
Source: dwww
Binary: dwww realpath
Architecture: source i386
Version: 1.9.26
Distribution: unstable
Urgency: low
Maintainer: Robert Luberda <[EMAIL PROTECTED]>
Changed-By: Robert Luberda <[EMAIL PROTECTED]>
Description:
dwww - Read all on-line documentation with a WWW browser
realpath - Return the canonicalized absolute pathname
Closes: 328721 328945 330663
Changes:
dwww (1.9.26) unstable; urgency=low
.
* dwww.cgi: delete unsafe environment variables like IFS (closes: #330663).
* dwww-refresh-cache: fix the find command warnings (closes: #328721).
* Install searchplugins for mozilla & firefox (closes: #328945).
Files:
1776e9ffdc63dab24c858cc96cc62ca9 505 doc optional dwww_1.9.26.dsc
fc279c2e5c6d996be70544008623f89d 106726 doc optional dwww_1.9.26.tar.gz
4132bc35c8d66cf98c4df8597fcb8bdd 103166 doc optional dwww_1.9.26_i386.deb
0a36daf638c2d5f7a3079ab47f5f49ce 23852 utils optional realpath_1.9.26_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDREX7Thh1cJ0wnDsRAt8jAJsFRgjzh0D8qw8EGtZjIolJbr42yACfTJkD
kLeqIj9VP7PMA086JLITHdI=
=FtXa
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
