httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Closing file descriptors...
Date Thu, 27 Apr 1995 10:33:02 GMT
Paul Phillips has just noted that the file descriptors for the log files
are left open in NCSA 1.3, which might allow a malicious CGI script to
cover its tracks or wipe the log files entirely.  It might be best to
just close all descriptors except for stdin, stdout, and stderr before
the exec() in cgi_stub().  The again, stderr is generally set to the 
error log, and I generally consider that a feature, rather than a bug
(if a script screws up, you generally get useful info in the error_log).
Any thoughts?


View raw message