httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Cliff Skolnick)
Subject Re: Closing file descriptors...
Date Thu, 27 Apr 1995 09:01:43 GMT
I think there are a lot worse things a malicious CGI script
can do.  This may not be a bad idea anyway though.  I doubt
it adds any security though.  Access to CGIs means a high level
of trust to your users.

On Apr 27, 10:33am, Robert S. Thau wrote:
} Subject: Closing file descriptors...
} Paul Phillips has just noted that the file descriptors for the log files
} are left open in NCSA 1.3, which might allow a malicious CGI script to
} cover its tracks or wipe the log files entirely.  It might be best to
} just close all descriptors except for stdin, stdout, and stderr before
} the exec() in cgi_stub().  The again, stderr is generally set to the 
} error log, and I generally consider that a feature, rather than a bug
} (if a script screws up, you generally get useful info in the error_log).
} Any thoughts?
} rst
}-- End of excerpt from Robert S. Thau

View raw message