[Sorry for the empty response, I fat-fingered] gvim <gvi...@gmail.com> writes:
> I built a site several years ago with CGI::Application which runs in > cgi, not psgi mode. Is it likely to be vulnerable to the recent bash > security hole which I understand revolves around setting ENV variables? If you ever end up invoking bash you will be vulnerable, since CGI passes the HTTP headers as HTTP_* environment variables. Remember that Perl's system()¹ , as well as C's system() and popen() invoke /bin/sh, which may or may not be bash (it is on RedHat-like systems, but not on Debian-like systems, for example). [1]: If it's passed a single argument which contains shell metacharacters -- - Twitter seems more influential [than blogs] in the 'gets reported in the mainstream press' sense at least. - Matt McLeod - That'd be because the content of a tweet is easier to condense down to a mainstream media article. - Calle Dybedahl
