[prev in list] [next in list] [prev in thread] [next in thread]
List: mon
Subject: monshow cgi args fix (security?)
From: Thomas Koester <tkoester () intevation ! de>
Date: 2002-03-19 9:15:24
[Download RAW message or body]
Hi!
I'm using the mon debian package version 0.99.2-2 together with
Caudium as a web server.
I always wondered why things like /cgi-bin/monshow?detail=mail,smtp
didn't work. The problem was that Caudium adds the query string to
the argument vector.
Therefore mon should discard all arguments when called as a cgi
script. I've attached a small patch for this.
Thomas
--
Email: tkoester@intevation.de
http://intevation.de/~tkoester/
["monshow-cgiargs.patch" (text/plain)]
--- monshow.orig Wed Dec 5 12:54:14 2001
+++ monshow Tue Mar 19 09:59:37 2002
@@ -69,6 +69,19 @@
my ($DEP, $GROUP, $SERVICE, $STATUS, $TIME, $NEXT, $ALERTS, $SUMMARY, $DESC);
+my $CGI;
+my %QUERY_ARGS;
+if (defined $ENV{"REQUEST_METHOD"})
+{
+ unless ($CGI = new CGI)
+ {
+ $CGI = 1;
+ err_die ("Can't create CGI object\n");
+ }
+ @ARGV = ()
+}
+
+
# Untaint args, tainting is just for stuff which comes from CGI.
for (@ARGV) {
/(.*)/s or die;
@@ -82,16 +95,6 @@
@ARGV == 0 || usage "No non-switch args expected\n";
-my $CGI;
-my %QUERY_ARGS;
-if (defined $ENV{"REQUEST_METHOD"})
-{
- unless ($CGI = new CGI)
- {
- $CGI = 1;
- err_die ("Can't create CGI object\n");
- }
-}
if (!$CGI && $opt{"help"})
{
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic