Date: Wed, 23 Jul 2003 15:00:33 -0700 (PDT) From: Ville =?ISO-8859-1?Q?Skytt=E4?= <scop@FreeBSD.org> To: freebsd-cvsweb@FreeBSD.org Subject: Re: ports/52386: [patch] devel/cvsweb and perl5.8 Message-ID: <200307232200.h6NM0XMB098508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/52386; it has been noted by GNATS.
From: Ville =?ISO-8859-1?Q?Skytt=E4?= <scop@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, chu@gpi.ru
Cc:
Subject: Re: ports/52386: [patch] devel/cvsweb and perl5.8
Date: 24 Jul 2003 00:57:09 +0300
I'm aware of the issue, being a RHL 9 / perl 5.8.0 user here... *duck*
But unfortunately IMO this is just the tip of an iceberg. The problem
should be addressed in a more general level than case-by-case; The Real
Fix would be to untaint $ENV{PATH_INFO} and its derivatives as well as
all incoming query string parameters. Some parameters (@unsafevars) are
already being laundered in CVS HEAD, but that's obviously just a start.
Suggestions/contributions about how to launder that stuff without
breaking existing setups (think eg. non-ASCII + other unusual characters
in directory names, valid set of characters for tag/branch names, legal
CVSROOT "symbolic names" etc) are welcome :)
--
\/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307232200.h6NM0XMB098508>