Loading ...
Sorry, an error occurred while loading the content.

cgi security issue

Expand Messages
  • markussi69
    Steve, is there a way to prevent pl/plpng from writing errorfile or diagfile in CGI mode? Using http://...&-error&/somewhere/errfile I m able to create files
    Message 1 of 2 , Feb 8, 2002
    • 0 Attachment
      Steve,

      is there a way to prevent pl/plpng from writing errorfile or diagfile
      in CGI mode?
      Using 'http://...&-error&/somewhere/errfile' I'm able to create files
      everywhere where apache is allowed to.

      Currently I put comments around 'Diagfp = fopen( val, "w" );'
      and 'Errfp = fopen( val, "w" );' in process_arg.c.
      But that's not the way it should be.

      Thanks

      Markus
    • Stephen C. Grubb
      Markus, thanks for finding another problem. A fix has been posted, see http://ploticus.sourceforge.net/doc/Versions.html This fix should be installed ASAP by
      Message 2 of 2 , Feb 8, 2002
      • 0 Attachment
        Markus, thanks for finding another problem.

        A fix has been posted, see
        http://ploticus.sourceforge.net/doc/Versions.html

        This fix should be installed ASAP by anyone using ploticus in CGI mode.

        The fix gives the following behavior when in CGI mode:

        -diagfile and -errfile no longer do anything

        if -debug is specified, diagnostic output is written to /tmp/plcgi_diag
        and error message output is written to /tmp/plcgi_err .. This should be
        helpful with debugging in CGI mode (if the user specifies a tmpdir then
        that directory is used; for win32 c:\temp is the default).

        P.S. Sorry there have been so many oversights in 2.02.. I will try to get
        a new release out soon.

        -Steve



        On Fri, 8 Feb 2002, markussi69 wrote:

        > Steve,
        >
        > is there a way to prevent pl/plpng from writing errorfile or diagfile
        > in CGI mode?
        > Using 'http://...&-error&/somewhere/errfile' I'm able to create files
        > everywhere where apache is allowed to.
        >
        > Currently I put comments around 'Diagfp = fopen( val, "w" );'
        > and 'Errfp = fopen( val, "w" );' in process_arg.c.
        > But that's not the way it should be.
        >
        > Thanks
        >
        > Markus
        >
        >
        >
        > To unsubscribe from this group, send an email to:
        > ploticus-unsubscribe@yahoogroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        >
        >
        >


        Stephen C. Grubb scg@...
        Scientific Software Engineer, The Jackson Laboratory
        600 Main Street Bar Harbor, Maine 04609 USA
      Your message has been successfully submitted and would be delivered to recipients shortly.