httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: mod_cgissi
Date Sun, 03 Nov 1996 23:41:53 GMT
At 3:34 PM -0800 11/3/96, Brian Behlendorf wrote:
>On Sun, 3 Nov 1996, Nathan Neulinger wrote:
>> Almost every cgi script EVER written would become an instant security hole
>> if this were enabled.
>
>Anyone who doesn't validate their input is asking for it in one way or
>another,
>but I agree that this would open up another area for lazy cgi authors to
>concern themselves about.  If it were made part of the distribution, that
>would have to be well documented, sure.  As it is we'd probably even give it a
>different file suffix and handler, say .scgi.

That's true, but unrealistic, and unreasonable... Printing out bad input
should not result in a security hole.

And think of simple cgi's that are used for verifying the results of form
input, like the test-post cgi... All it does it echo back what the user
sent... A script like that would become a whole lot more complicated if it
had to worry about what it was sending back to the browser.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message