Return-Path: Delivered-To: apache-bugdb-archive@hyperreal.org Received: (qmail 20440 invoked by uid 6000); 5 May 1998 19:16:14 -0000 Received: (qmail 20434 invoked from network); 5 May 1998 19:16:13 -0000 Received: from f44.hotmail.com (HELO hotmail.com) (207.82.250.55) by taz.hyperreal.org with SMTP; 5 May 1998 19:16:13 -0000 Received: (qmail 28696 invoked by uid 0); 5 May 1998 19:15:29 -0000 Message-ID: <19980505191529.28695.qmail@hotmail.com> Received: from 204.101.128.170 by www.hotmail.com with HTTP; Tue, 05 May 1998 12:15:25 PDT X-Originating-IP: [204.101.128.170] From: "wOrm sign" To: marc@apache.org, marc@hyperreal.org Cc: apache-bugdb@apache.org Subject: Re: general/2182: test-cgi security flaw Content-Type: text/plain Date: Tue, 05 May 1998 12:15:25 PDT Sender: apache-bugdb-owner@apache.org Precedence: bulk >Synopsis: test-cgi security flaw > >State-Changed-From-To: open-analyzed >State-Changed-By: marc >State-Changed-When: Tue May 5 08:32:47 PDT 1998 >State-Changed-Why: >What OS are you using? > >Are you sure you aren't using an old copy of test-cgi? > >The version distributed with Apache is _NOT_ vulnerable to >this problem unless you use a very broken shell. Note the: > ># disable filename globbing >set -f > >line. Hey, sorry about that. I'm mistaken. I downloaded the tar/gziped source this morning to make sure the bug still existed, without actually trying the script. I looked for quotes, and saw none, not thinking that a more robust solution might have been implemented. The test-cgi script I use on my home box is indeed very old. I'm not that familiar with this PR system, so maybe if you could close this for me... sorry again, Reuben ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com