[prev in list] [next in list] [prev in thread] [next in thread]
List: mailman-cvs
Subject: [Mailman-checkins] CVS: mailman/src common.c,1.24,1.25 vsnprintf.c,1.1,1.2
From: Barry Warsaw <bwarsaw () users ! sourceforge ! net>
Date: 2000-09-29 0:20:46
[Download RAW message or body]
Update of /cvsroot/mailman/mailman/src
In directory slayer.i.sourceforge.net:/tmp/cvs-serv2678
Modified Files:
common.c vsnprintf.c
Log Message:
A couple of notes for later
Index: common.c
===================================================================
RCS file: /cvsroot/mailman/mailman/src/common.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -C2 -r1.24 -r1.25
*** common.c 2000/09/27 20:02:07 1.24
--- common.c 2000/09/29 00:20:43 1.25
***************
*** 135,138 ****
--- 135,144 ----
* environment. Some may or may not be hand crafted and passed into
* the execv'd environment.
+ *
+ * TBD: The logic of this should be inverted. IOW, we should audit the
+ * Mailman CGI code for those environment variables that are used, and
+ * specifically white list them, removing all other variables. John Viega
+ * also suggests imposing a maximum size just in case Python doesn't handle
+ * them right (which it should because Python strings have no hard limits).
*/
static char* killenvars[] = {
***************
*** 150,153 ****
--- 156,161 ----
* argv[1:] are other args for the script
* env may or may not contain PYTHONPATH, we'll substitute our own
+ *
+ * TBD: third argument env may not be universally portable
*/
int
Index: vsnprintf.c
===================================================================
RCS file: /cvsroot/mailman/mailman/src/vsnprintf.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -r1.1 -r1.2
*** vsnprintf.c 1999/07/12 20:30:26 1.1
--- vsnprintf.c 2000/09/29 00:20:43 1.2
***************
*** 36,39 ****
--- 36,41 ----
* RMS says it's okay to include this code in Mailman but it should be kept
* in a separate file.
+ *
+ * TBD: This file needs a security audit.
*/
_______________________________________________
Mailman-checkins mailing list
Mailman-checkins@python.org
http://www.python.org/mailman/listinfo/mailman-checkins
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic