Message5960
Ok, I'm convinced by your explanation.
> In message <405313549.20170421175726@inbox.ru>, Anthony writes:
>>Nevertheless, John, are you sure that adding pass_headers option is a
>>really good idea?
>>
>>Do the passing all http headers like others programs do and
>>which is conformed to http/cgi standard is a bad thing?
> Well we had https://httpoxy.org/ and there is an open ticket for this:
> http://issues.roundup-tracker.org/issue2550925
> so I would say yes there can be exploits. I also hope that no program
> in the future will use HTTP_* as an environment variable but....
> Also didn't the shellshock bash bug depend on creating a specially
> crafted environment variable?
>>In this topic I see only one cons: "programming for safety
>>usually means to only let variables (or values if this applies)
>>pass through that are on a whitelist".
> Yup, that's where pass_headers came from. It's the whitelist.
> Have a great weekend.
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550837>
> ________________________________________________ |
|
Date |
User |
Action |
Args |
2017-04-22 10:00:58 | antmail | set | recipients:
+ antmail, ber, rouilj, techtonik, jerrykan |
2017-04-22 10:00:58 | antmail | link | issue2550837 messages |
2017-04-22 10:00:58 | antmail | create | |
|