Message5959
Hi Anthony:
In message <405313549.20170421175726@inbox.ru>, Anthony writes:
>Nevertheless, John, are you sure that adding pass_headers option is a
>really good idea?
>
>Do the passing all http headers like others programs do and
>which is conformed to http/cgi standard is a bad thing?
Well we had https://httpoxy.org/ and there is an open ticket for this:
http://issues.roundup-tracker.org/issue2550925
so I would say yes there can be exploits. I also hope that no program
in the future will use HTTP_* as an environment variable but....
Also didn't the shellshock bash bug depend on creating a specially
crafted environment variable?
>In this topic I see only one cons: "programming for safety
>usually means to only let variables (or values if this applies)
>pass through that are on a whitelist".
Yup, that's where pass_headers came from. It's the whitelist.
Have a great weekend.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions. |
|
Date |
User |
Action |
Args |
2017-04-22 01:34:09 | rouilj | set | recipients:
+ rouilj, ber, techtonik, jerrykan, antmail |
2017-04-22 01:34:08 | rouilj | link | issue2550837 messages |
2017-04-22 01:34:07 | rouilj | create | |
|