At 10:47 AM -0500 9/5/01, Gilles Detillieux wrote: >So, any ideas about how we can avoid abuses like the URL above, or that >described in bug #458013, but still allow -c from a wrapper script or >shell command line? Maybe we can ignore -c when REQUEST_METHOD is set >to GET or POST, and allow it otherwise? This is probably the best way. We can also check for one or more additional HTTP headers if we want to be sure. Certainly some behavior is already slightly different from the command-line than from the CGI. (e.g. the shell command will ask for "words" or "format" if they aren't supplied) >I suppose we could also have a compile time option to re-enable the old >behaviour for stubborn folks who'd rather put their systems at risk than >rewrite a wrapper. What do you think? That's not a bad idea--fairly easy to do as well. >I don't think the CONFIG_DIR environment variable is a problem, because >there's no way that I know of to arbitrarily define environment variables >for a CGI program from the web client. The web client isn't the only place the CGI needs to be secure. We also have to protect against shell access on the server grabbing the connection somehow. Again, I really think this needs to be closed--if someone wants to set a compile-time option to enable it, that's fine. -Geoff _______________________________________________ htdig-dev mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/htdig-dev
