httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: #exec cgi PATH_INFO bugs (repost)
Date Tue, 08 Aug 1995 18:00:00 GMT
Rst wrote:
>   Date: Tue, 8 Aug 95 11:03 BST
>   From: drtr@ast.cam.ac.uk (David Robinson)
>   Precedence: bulk
>   Reply-To: new-httpd@hyperreal.com
>
>>   I'm reposting this patch, because I missed bug.
>
>   In apache 0.8.7 and 0.8.8 (and earlier versions), for a parsed html file
>   containing a <!--#exec cmd -->
>
>   PATH_INFO was set, even if NULL.
>   PATH_INFO was erroneously shell-escaped. (Fixed with new patch)
>
>Sigh... once again, this is not "erroneous", and "fixing" it would be
>both improper and dangerous.  Anyone with a shell script invoked
>through <!--#exec cmd-->, who is counting on the escaping to keep it
>safe, would not view naked shell metasyntax as a favor.

So use the patch I sent yesterday which left in the shell escaping.

 David.

Mime
View raw message