Roundup Tracker - Issues


Author rouilj
Recipients antmail, ber, jerrykan, rouilj, techtonik
Date 2017-04-22.01:34:07
Message-id <>
In-reply-to <>
Hi Anthony:

In message <>, Anthony writes:
>Nevertheless,  John, are you sure that adding pass_headers option is a
>really good idea?
>Do the passing all http headers like others programs do and
>which is conformed to http/cgi standard is a bad thing?

Well we had and there is an open ticket for this:

so I would say yes there can be exploits. I also hope that no program
in the future will use HTTP_* as an environment variable but....

Also didn't the shellshock bash bug depend on creating a specially
crafted environment variable?

>In this topic I see only one cons: "programming for safety
>usually means to only let variables (or values if this applies)
>pass through that are on a whitelist".

Yup, that's where pass_headers came from. It's the whitelist.

Have a great weekend.
				-- rouilj
John Rouillard
My employers don't acknowledge my existence much less my opinions.
Date User Action Args
2017-04-22 01:34:09rouiljsetrecipients: + rouilj, ber, techtonik, jerrykan, antmail
2017-04-22 01:34:08rouiljlinkissue2550837 messages
2017-04-22 01:34:07rouiljcreate