On Thu, Sep 20, 2012 at 8:13 PM, Gregg Smith <[email protected]> wrote: > On 9/20/2012 4:36 PM, Guenter Knauf wrote: >> >> Am 20.09.2012 16:56, schrieb Guenter Knauf: >>> >>> Am 20.09.2012 16:16, schrieb Guenter Knauf: >>>> >>>> Am 20.09.2012 16:02, schrieb Jeff Trawick: >>>>> >>>>> We shouldn't have scripts which, out of the box, leak information >>>>> about the system or configuration. >>>> >>>> ok, I change the script in a way as printenv has (make shebang >>>> in-active); >>> >>> done: >>> http://svn.apache.org/viewvc?rev=1388054&view=rev >> >> from trunk/Makefile.win line 1043ff: >> copy docs\cgi-examples\printenv "$(INSTDIR)\cgi-bin\printenv.pl" <.y >> -awk -f <<script.awk "docs/cgi-examples/printenv" > >> "$(INSTDIR)\cgi-bin\printenv.pl" >> BEGIN { >> if ( "perl -e \"print $$^X;\"" | getline perlroot ) { >> gsub( /\\/, "/", perlroot ); >> print "#!" perlroot; >> } >> } >> { >> if ( $$0 !~ /^#!/ ) { >> print $$0; >> } >> } >> << >> >> so this is the place where the shebang gets fixed for printenv.pl thus >> making it executable unless perl is not in search path ... >> shouldnt we then remove this part and only copy it unchanged? > > > These are samples, I think they should be executable. I personally do not > like the fact that ScriptAlias is enabled by default. I think that is as > much a concern. > > Regards, > Gregg
A script that leaks information should not be enabled unless the administrator takes an action specific to that script. If the default configuration has cgi-bin disabled and the administrator then drops an application there and enables cgi-bin, they should not have to also disable printenv. Perhaps at one point printenv was helpful to show somebody how easy it is to write a CGI script. Those days are over for anyone that knows how to do a web search for "CGI <purpose>". It could be helpful to debug some aspects of configuration, though that is an infrequent use. -- Born in Roswell... married an alien... http://emptyhammock.com/
