Date: Wed, 23 Jul 2003 15:00:33 -0700 (PDT) From: Ville =?ISO-8859-1?Q?Skytt=E4?= <scop@FreeBSD.org> To: freebsd-cvsweb@FreeBSD.org Subject: Re: ports/52386: [patch] devel/cvsweb and perl5.8 Message-ID: <200307232200.h6NM0XMB098508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/52386; it has been noted by GNATS. From: Ville =?ISO-8859-1?Q?Skytt=E4?= <scop@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org, chu@gpi.ru Cc: Subject: Re: ports/52386: [patch] devel/cvsweb and perl5.8 Date: 24 Jul 2003 00:57:09 +0300 I'm aware of the issue, being a RHL 9 / perl 5.8.0 user here... *duck* But unfortunately IMO this is just the tip of an iceberg. The problem should be addressed in a more general level than case-by-case; The Real Fix would be to untaint $ENV{PATH_INFO} and its derivatives as well as all incoming query string parameters. Some parameters (@unsafevars) are already being laundered in CVS HEAD, but that's obviously just a start. Suggestions/contributions about how to launder that stuff without breaking existing setups (think eg. non-ASCII + other unusual characters in directory names, valid set of characters for tag/branch names, legal CVSROOT "symbolic names" etc) are welcome :) -- \/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307232200.h6NM0XMB098508>