On 11/28/2015 10:24 PM, Russ Allbery wrote:
Robert Bradley <robert.brad...@it.ox.ac.uk> writes:
Thanks! That patch solves the problem perfectly, although I personally
agree that having a time limit to login isn't all that important. Is
this likely to be added to the Debian packages at some point?
Well, ideally there would be a WebAuth 4.7.1 release with the various
accumulated fixes that I could package for Debian. There are a couple of
committed fixes, and I have three pull requests open at the canonical
repository (https://github.com/Stanford/webauth) to be merged.
Stanford folks, what are the plans for a 4.7.1 release?
Incidentally, while I was testing, I also saw several complaints from
CGI::param in my Apache logs:
FastCGI: server "/usr/share/webkdc/cgi/login.fcgi" stderr: CGI::param
called in list context from package WebLogin line 1615, this can lead
to vulnerabilities. See the warning in "Fetching the value or values
of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
The following patch seems to silence the log noise, assuming that line
wraps do not break it. However, it's worth double-checking it to make
sure I'm not forcing too much to be scalar:
Looks good to me. I turned this into a pull request as well.
None of the people currently in the owning group are actually on the list, so
I've cc'd the current manager to give official word on any plans.
--
Jon Robertson
Systems Administrator
Digital Library Systems & Services
Stanford University Libraries
