httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Bug?
Date Mon, 29 Jul 1996 13:45:36 GMT
> > The
> > cgi-bin and cgi-src programs that NCSA and Apache including with their
> > distributions for years did exactly that. Rememeber all those CERT
> > advisories? Those came about exactly because we didn't escape *enough*
> > characters. If we remove the escaping, then suddenly a lot of CGI scripts
> > become targets for attack. Oops.
> 
> The advisories that I remember fell into two classes. Those that warned of
> dodgy CGI binaries which didn't take sufficient care, and those that spuriously
> claimed that Apache itself had a security hole, which we corrected but then
> decided was not, in fact, true. The problem I've got is that I can't remember
> what we actually changed. I do know that we didn't change it back.

Correct. I noticed we had not reversed this when you brought this up.
The change was in escape_shell_cmd where we added an escape for '\n'.
There was discussion at the time that this would break some expected
behaviour. I have not heard any complaints...






Mime
View raw message