Re: busybox httpd cgi environment
Not trying to beat a dead horse, but the previous reply didn't really address an important question: "Why do you want it [the environment cleared?]" Denys Vlasenko wrote: > > Now I disagree. It's trivial to strip environment prior > to starting httpd: > > env - httpd > or > env - PATH="$PATH" httpd > > and both users who want stripped env and who need some env vars > to be set can both get what they want. > > Granted, you need to think a tiny bit about security before you > decide how to to start httpd in this case. But you need to think > about security anyway, right? > > However, with mandatory stripping of env in httpd we'll make > those users which want to pass an env variable to cgi unhappy. > > Why do you want it? > Information leakage. http://www.irt.org/articles/js184/index.htm One of the most frequent security problems in CGI scripts is inadvertently passing unchecked user-supplied variables or "tainted variables" to the shell. Tainted variables are those that contain data that originate from outside the script, including data read from environment variables, from command line array, or from standard input. Changing the default to be "expose server's enviroment" from "off" to "on" changes the security equation, and puts a greater load on every cgi script author. off - every cgi script only has to account for a subset of possible environment variables, and must do something exceptional to get more. on - every cgi script must now account for [unenlightend] httpd administrators, and take precautions. For example, the "env" cgi: #!/bin/sh echo content-type: text/plain env Not a good idea to have on any system, but its a common example cgi. An example of this gone bad is here: http://impressive.net/people/gerald/2000/10/set It is [inadvertently] exposing his local hostname, shell version, machine type, the fact that the cgi is running in his home dir, what his local name is, that the nobody user is probably UID 33 and other interesting facts that help the bad-guys. Yes, its the responsibility of the cgi script writer to fix this. But the person writing the script is in most cases not the same as the person running the web server. The script at impressive.net obviously did not expect that the web server to expose more data than would be considered "sane."Its the reason most other web servers start from an empty environment for the cgi script - to provide one more notch in the whole security equation. Hope this explains a little better. Otherwise, sorry for the noise. ___ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox
Re: [PATCH] ash fancy prompt expansion
On Thursday 13 September 2007 12:39, Natanael Copa wrote: > Hi, > > Attatched is a patch that fixes the annoying bug in ash prmpt expansion. > > Currently the default PS1='\w \$ ' will always show a '$' as prompt > while PS1='\w \\$ ' will show a '#' if effective user is root and '$' > otherwise. This is strange, for me current svn seems to work: sh-3.2# ./busybox ash /.1/usr/srcdevel/bbox/fix/busybox.t3 # PS1='\w \$ ' /.1/usr/srcdevel/bbox/fix/busybox.t3 # PS1='\w \\$ ' /.1/usr/srcdevel/bbox/fix/busybox.t3 \$ PS1='TEST>\$ ' TEST># PS1='TEST>\\$ ' TEST>\$ Is it already fixed? Or maybe it depends on .config. Mine is attached. -- vda # # Automatically generated make config: don't edit # Busybox version: 1.8.0.svn # Sat Sep 15 00:33:00 2007 # CONFIG_HAVE_DOT_CONFIG=y # # Busybox Settings # # # General Configuration # CONFIG_NITPICK=y CONFIG_DESKTOP=y CONFIG_FEATURE_BUFFERS_USE_MALLOC=y # CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set # CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set CONFIG_SHOW_USAGE=y CONFIG_FEATURE_VERBOSE_USAGE=y CONFIG_FEATURE_COMPRESS_USAGE=y CONFIG_FEATURE_INSTALLER=y # CONFIG_LOCALE_SUPPORT is not set CONFIG_GETOPT_LONG=y CONFIG_FEATURE_DEVPTS=y # CONFIG_FEATURE_CLEAN_UP is not set CONFIG_FEATURE_PIDFILE=y CONFIG_FEATURE_SUID=y CONFIG_FEATURE_SUID_CONFIG=y CONFIG_FEATURE_SUID_CONFIG_QUIET=y # CONFIG_SELINUX is not set # CONFIG_FEATURE_PREFER_APPLETS is not set CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe" CONFIG_FEATURE_SYSLOG=y CONFIG_FEATURE_HAVE_RPC=y # # Build Options # # CONFIG_STATIC is not set # CONFIG_BUILD_LIBBUSYBOX is not set # CONFIG_FEATURE_FULL_LIBBUSYBOX is not set # CONFIG_FEATURE_SHARED_BUSYBOX is not set CONFIG_LFS=y # CONFIG_BUILD_AT_ONCE is not set # # Debugging Options # # CONFIG_DEBUG is not set CONFIG_WERROR=y CONFIG_NO_DEBUG_LIB=y # CONFIG_DMALLOC is not set # CONFIG_EFENCE is not set CONFIG_INCLUDE_SUSv2=y # # Installation Options # # CONFIG_INSTALL_NO_USR is not set CONFIG_INSTALL_APPLET_SYMLINKS=y # CONFIG_INSTALL_APPLET_HARDLINKS is not set # CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set # CONFIG_INSTALL_APPLET_DONT is not set # CONFIG_INSTALL_SH_APPLET_SYMLINK is not set # CONFIG_INSTALL_SH_APPLET_HARDLINK is not set # CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set CONFIG_PREFIX="./_install" # # Busybox Library Tuning # CONFIG_PASSWORD_MINLEN=6 CONFIG_MD5_SIZE_VS_SPEED=2 CONFIG_FEATURE_FAST_TOP=y # CONFIG_FEATURE_ETC_NETWORKS is not set CONFIG_FEATURE_EDITING=y CONFIG_FEATURE_EDITING_MAX_LEN=1024 CONFIG_FEATURE_EDITING_FANCY_KEYS=y CONFIG_FEATURE_EDITING_VI=y CONFIG_FEATURE_EDITING_HISTORY=15 CONFIG_FEATURE_EDITING_SAVEHISTORY=y CONFIG_FEATURE_TAB_COMPLETION=y CONFIG_FEATURE_USERNAME_COMPLETION=y CONFIG_FEATURE_EDITING_FANCY_PROMPT=y CONFIG_MONOTONIC_SYSCALL=y # CONFIG_IOCTL_HEX2STR_ERROR is not set # # Applets # # # Archival Utilities # CONFIG_AR=y # CONFIG_FEATURE_AR_LONG_FILENAMES is not set CONFIG_BUNZIP2=y CONFIG_CPIO=y CONFIG_DPKG=y # CONFIG_DPKG_DEB is not set # CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set CONFIG_GUNZIP=y CONFIG_FEATURE_GUNZIP_UNCOMPRESS=y CONFIG_GZIP=y CONFIG_RPM2CPIO=y CONFIG_RPM=y CONFIG_FEATURE_RPM_BZ2=y CONFIG_TAR=y CONFIG_FEATURE_TAR_CREATE=y CONFIG_FEATURE_TAR_BZIP2=y CONFIG_FEATURE_TAR_LZMA=y CONFIG_FEATURE_TAR_FROM=y CONFIG_FEATURE_TAR_GZIP=y CONFIG_FEATURE_TAR_COMPRESS=y CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y CONFIG_FEATURE_TAR_LONG_OPTIONS=y CONFIG_UNCOMPRESS=y CONFIG_UNLZMA=y CONFIG_FEATURE_LZMA_FAST=y CONFIG_UNZIP=y # # Common options for cpio and tar # CONFIG_FEATURE_UNARCHIVE_TAPE=y # # Common options for dpkg and dpkg_deb # CONFIG_FEATURE_DEB_TAR_GZ=y CONFIG_FEATURE_DEB_TAR_BZ2=y CONFIG_FEATURE_DEB_TAR_LZMA=y # # Coreutils # CONFIG_BASENAME=y CONFIG_CAL=y CONFIG_CAT=y CONFIG_CATV=y CONFIG_CHGRP=y CONFIG_CHMOD=y CONFIG_CHOWN=y CONFIG_CHROOT=y CONFIG_CKSUM=y CONFIG_COMM=y CONFIG_CP=y CONFIG_CUT=y CONFIG_DATE=y CONFIG_FEATURE_DATE_ISOFMT=y CONFIG_DD=y CONFIG_FEATURE_DD_SIGNAL_HANDLING=y CONFIG_FEATURE_DD_IBS_OBS=y CONFIG_DF=y CONFIG_DIRNAME=y CONFIG_DOS2UNIX=y CONFIG_UNIX2DOS=y CONFIG_DU=y CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y CONFIG_ECHO=y CONFIG_FEATURE_FANCY_ECHO=y CONFIG_ENV=y CONFIG_FEATURE_ENV_LONG_OPTIONS=y CONFIG_EXPAND=y CONFIG_FEATURE_EXPAND_LONG_OPTIONS=y CONFIG_EXPR=y CONFIG_EXPR_MATH_SUPPORT_64=y CONFIG_FALSE=y CONFIG_FOLD=y CONFIG_HEAD=y CONFIG_FEATURE_FANCY_HEAD=y CONFIG_HOSTID=y CONFIG_ID=y CONFIG_INSTALL=y CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y CONFIG_LENGTH=y CONFIG_LN=y CONFIG_LOGNAME=y CONFIG_LS=y CONFIG_FEATURE_LS_FILETYPES=y CONFIG_FEATURE_LS_FOLLOWLINKS=y CONFIG_FEATURE_LS_RECURSIVE=y CONFIG_FEATURE_LS_SORTFILES=y CONFIG_FEATURE_LS_TIMESTAMPS=y CONFIG_FEATURE_LS_USERNAME=y CONFIG_FEATURE_LS_COLOR=y CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y CONFIG_MD5SUM=y CONFIG_MKDIR=y CONFIG_FEATURE_MKDIR_LONG_OPTIONS=y CONFIG_MKFIFO=y CONFIG_MKNOD=y CONFIG_MV=y CONFIG_FEATURE_MV_LONG_OPTIONS=y CONFIG_NICE=y CONFIG_NOHU
Re: issue regarding ESC in vi
On Fri, Sep 14, 2007 at 06:00:23PM -0400, Mike Frysinger wrote: >On Friday 07 September 2007, Paul Fox wrote: >> > On Thursday 06 September 2007 22:49, Tapojoy chatterjee wrote: >> > > hi >> > > whenever we press ESC in vi there is flashing of the terminal..is >> > > there a way around it >> > >> > I'm not using vi myself, but looking at vi.c, there is some obscure way >> > to toggle bell/flash notification. >> > >> > grep for "bell" in vi.c >> : >> :set noflash > >i dont see this option in POSIX anywhere and default vi nowadays doesnt do >that by default ... perhaps we should invert the defaults ? i dont see value >in something that annoys most people and is pretty worthless ... seconded. Index: editors/vi.c === --- editors/vi.c(revision 19851) +++ editors/vi.c(working copy) @@ -338,7 +338,7 @@ int vi_main(int argc, char **argv) } #endif - vi_setops = VI_AUTOINDENT | VI_SHOWMATCH | VI_IGNORECASE | VI_ERR_METHOD; + vi_setops = VI_AUTOINDENT | VI_SHOWMATCH | VI_IGNORECASE; #if ENABLE_FEATURE_VI_YANKMARK memset(reg, 0, sizeof(reg)); // init the yank regs #endif ___ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox
rsync of raw svn db available
for those who may find such a thing useful (to convert/backup/local mirror/whatever), you can now rsync the raw svn files rsync -av --progress rsync://uclibc.org/svn/ svn/ -mike signature.asc Description: This is a digitally signed message part. ___ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox
Re: moving /bin/ip to /sbin/ip?
On Saturday 15 September 2007, Cristian Ionescu-Idbohrn wrote: > On Fri, 14 Sep 2007, Mike Frysinger wrote: > > generally yes ... however, i dont know of any distro who puts `ip` in > > /bin and considering its purpose in life (configuring the interfaces), > > putting it in /sbin makes sense to me > > Debian sid (unstable): > > # which ip > /bin/ip > # ls -l /bin/ip > -rwxr-xr-x 1 root root 164568 Jun 10 21:39 /bin/ip* > # ip -V > ip utility, iproute2-ss070313 blah, they changed the defaults ... iproute2 upstream defaults to /sbin for ip considering ip/ifconfig do the same thing, i think they should be in the same dir in busybox or we can just drop the whole path charade from busybox completely ... then there isnt a problem of /bin vs /sbin vs /usr/bin vs /usr/sbin ... -mike signature.asc Description: This is a digitally signed message part. ___ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox
Re: moving /bin/ip to /sbin/ip?
On Fri, 14 Sep 2007, Mike Frysinger wrote: > generally yes ... however, i dont know of any distro who puts `ip` in > /bin and considering its purpose in life (configuring the interfaces), > putting it in /sbin makes sense to me Debian sid (unstable): # which ip /bin/ip # ls -l /bin/ip -rwxr-xr-x 1 root root 164568 Jun 10 21:39 /bin/ip* # ip -V ip utility, iproute2-ss070313 Cheers, -- Cristian ___ busybox mailing list busybox@busybox.net http://busybox.net/cgi-bin/mailman/listinfo/busybox