httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sameer <sam...@c2.net>
Subject Re: mod_cgissi
Date Sun, 03 Nov 1996 23:56:36 GMT
	I think a reasonable solution might be a less functional
SSI. Only SSI which is on a line by itself is allowed. then the CGI
writer needs to make sure that no user-entered input is printed on a
line by itself.

> At 3:34 PM -0800 11/3/96, Brian Behlendorf wrote:
> >On Sun, 3 Nov 1996, Nathan Neulinger wrote:
> >> Almost every cgi script EVER written would become an instant security hole
> >> if this were enabled.
> >
> >Anyone who doesn't validate their input is asking for it in one way or
> >another,
> >but I agree that this would open up another area for lazy cgi authors to
> >concern themselves about.  If it were made part of the distribution, that
> >would have to be well documented, sure.  As it is we'd probably even give it a
> >different file suffix and handler, say .scgi.
> 
> That's true, but unrealistic, and unreasonable... Printing out bad input
> should not result in a security hole.
> 
> And think of simple cgi's that are used for verifying the results of form
> input, like the test-post cgi... All it does it echo back what the user
> sent... A script like that would become a whole lot more complicated if it
> had to worry about what it was sending back to the browser.
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                  Univ. of Missouri - Rolla
> EMail: nneul@umr.edu                  Computing Services
> WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org
> 
> 


-- 
Sameer Parekh					Voice:   510-986-8770
C2Net						FAX:     510-986-8777
The Internet Privacy Provider
http://www.c2.net/				sameer@c2.net

Mime
View raw message