Robert Bradley <robert.brad...@it.ox.ac.uk> writes: > Thanks! That patch solves the problem perfectly, although I personally > agree that having a time limit to login isn't all that important. Is > this likely to be added to the Debian packages at some point?
Well, ideally there would be a WebAuth 4.7.1 release with the various accumulated fixes that I could package for Debian. There are a couple of committed fixes, and I have three pull requests open at the canonical repository (https://github.com/Stanford/webauth) to be merged. Stanford folks, what are the plans for a 4.7.1 release? > Incidentally, while I was testing, I also saw several complaints from > CGI::param in my Apache logs: > FastCGI: server "/usr/share/webkdc/cgi/login.fcgi" stderr: CGI::param > called in list context from package WebLogin line 1615, this can lead > to vulnerabilities. See the warning in "Fetching the value or values > of a single named parameter" at /usr/share/perl5/CGI.pm line 436. > The following patch seems to silence the log noise, assuming that line > wraps do not break it. However, it's worth double-checking it to make > sure I'm not forcing too much to be scalar: Looks good to me. I turned this into a pull request as well. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
