httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: svn commit: r1387984 - /httpd/httpd/trunk/Makefile.win
Date Fri, 21 Sep 2012 11:35:26 GMT
On Thu, Sep 20, 2012 at 8:13 PM, Gregg Smith <gls@gknw.net> wrote:
> On 9/20/2012 4:36 PM, Guenter Knauf wrote:
>>
>> Am 20.09.2012 16:56, schrieb Guenter Knauf:
>>>
>>> Am 20.09.2012 16:16, schrieb Guenter Knauf:
>>>>
>>>> Am 20.09.2012 16:02, schrieb Jeff Trawick:
>>>>>
>>>>> We shouldn't have scripts which, out of the box, leak information
>>>>> about the system or configuration.
>>>>
>>>> ok, I change the script in a way as printenv has (make shebang
>>>> in-active);
>>>
>>> done:
>>> http://svn.apache.org/viewvc?rev=1388054&view=rev
>>
>> from trunk/Makefile.win line 1043ff:
>>     copy docs\cgi-examples\printenv "$(INSTDIR)\cgi-bin\printenv.pl" <.y
>>     -awk -f <<script.awk "docs/cgi-examples/printenv" >
>> "$(INSTDIR)\cgi-bin\printenv.pl"
>>     BEGIN {
>>     if ( "perl -e \"print $$^X;\"" | getline perlroot ) {
>>         gsub( /\\/, "/", perlroot );
>>         print "#!" perlroot;
>>     }
>>     }
>>     {
>>     if ( $$0 !~ /^#!/ ) {
>>         print $$0;
>>     }
>>     }
>> <<
>>
>> so this is the place where the shebang gets fixed for printenv.pl thus
>> making it executable unless perl is not in search path ...
>> shouldnt we then remove this part and only copy it unchanged?
>
>
> These are samples, I think they should be executable. I personally do not
> like the fact that ScriptAlias is enabled by default. I think that is as
> much a concern.
>
> Regards,
> Gregg

A script that leaks information should not be enabled unless the
administrator takes an action specific to that script.

If the default configuration has cgi-bin disabled and the
administrator then drops an application there and enables cgi-bin,
they should not have to also disable printenv.

Perhaps at one point printenv was helpful to show somebody how easy it
is to write a CGI script.  Those days are over for anyone that knows
how to do a web search for "CGI <purpose>".  It could be helpful to
debug some aspects of configuration, though that is an infrequent use.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message