[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mon
Subject:    monshow cgi args fix (security?)
From:       Thomas Koester <tkoester () intevation ! de>
Date:       2002-03-19 9:15:24
[Download RAW message or body]

Hi!

I'm using the mon debian package version 0.99.2-2 together with
Caudium as a web server.

I always wondered why things like /cgi-bin/monshow?detail=mail,smtp
didn't work. The problem was that Caudium adds the query string to
the argument vector.

Therefore mon should discard all arguments when called as a cgi
script. I've attached a small patch for this.

Thomas

-- 
Email: tkoester@intevation.de
http://intevation.de/~tkoester/

["monshow-cgiargs.patch" (text/plain)]

--- monshow.orig	Wed Dec  5 12:54:14 2001
+++ monshow	Tue Mar 19 09:59:37 2002
@@ -69,6 +69,19 @@
 
 my ($DEP, $GROUP, $SERVICE, $STATUS, $TIME, $NEXT, $ALERTS, $SUMMARY, $DESC);
 
+my $CGI;
+my %QUERY_ARGS;
+if (defined $ENV{"REQUEST_METHOD"})
+{
+    unless ($CGI = new CGI)
+    {
+    	$CGI = 1;
+	err_die ("Can't create CGI object\n");
+    }
+    @ARGV = ()
+}
+
+
 # Untaint args, tainting is just for stuff which comes from CGI.
 for (@ARGV) {
     /(.*)/s or die;
@@ -82,16 +95,6 @@
 
 @ARGV == 0 || usage "No non-switch args expected\n";
 
-my $CGI;
-my %QUERY_ARGS;
-if (defined $ENV{"REQUEST_METHOD"})
-{
-    unless ($CGI = new CGI)
-    {
-    	$CGI = 1;
-	err_die ("Can't create CGI object\n");
-    }
-}
 
 if (!$CGI && $opt{"help"})
 {


[prev in list] [next in list] [prev in thread] [next in thread]