In a previous thread, Charles Steinkuehler wrote: > > P.S. Nifty solution to the weblet logs issue coming as soon as I come up > with one and can test it. I'll probably just fix the viewlogs cgi script, > which is intentionally paranoid about which files it allows to be accessed > (weblet logs should also be rotated and added as links to the main weblet > page). It can be real easy to create gaping security holes (from simple > ../../ expansions to shell meta-character expansion vunerabilities) in > conventional web-servers, much less one written in shell-script...I've tried > to close as many holes as possible, although I'm sure there are still a > number of potential vunerabilities if anyone cares enough to try and find > them, but that can make some things a bit harder than it seems like they > should be at first glance...
It should be noted, on these security issues, that the meta-character issue needs a rigorous going-over. In some of my logs, I have this string often repeated: ==> Here is how that same string appears in the weblet view: =>gt; This ought to be covered by some transliteration routine, such as done by Perl's CGI.pm. I'm sure there are other issues. I'm starting this new thread in hopes of gathering other questionable weblet behaviours from ardent users. Once we know where shoring up needs to be done, I'm sure our community will step up to the challenge ;> What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user