On Wed, 23 Apr 1997, Brian Behlendorf wrote:
> On Tue, 22 Apr 1997, Dean Gaudet wrote:
> > Agenda for 1.2b9-dev
> > ====================
> >
> > Patches available:
> >
> > * PR#339: suexec doesn't work with QUERY_STRINGs
> > From: Anand Kumria <wildfire@progsoc.uts.edu.au>
> > <Pine.SUN.3.95.970420164729.17677C-100000@ftoomsh.progsoc.uts.edu.au>
>
> Yes yes, this definitely fixes the problem, and without it suexec is not nearly
> as useful. Hyperreal users now have this available in their ~/public_html/
> directories, if anyone's interested and wants to play.
Well that a -1 from me. I'm not so sure that ~ (tilde) should be removed
from the set of characters Apache should escape. Would anyone else care to
comment on the possible security implications of that change - I assume it
was in there for a reason.
I'll do some work on suexec on the weekend, and have it instead detect
when it's argument have been escaped. I think that a safer solution.
Anand.
--
`When any government, or any church for that matter, undertakes to say to
its subjects, "This you may not read, this you must not see, this you are
forbidden to know," the end result is tyranny and oppression no matter how
holy the motives' -- Robert A Heinlein, "If this goes on --"
|