Roundup Tracker - Issues


Author antmail
Recipients antmail, ber, jerrykan, rouilj, techtonik
Date 2017-04-22.10:00:58
Message-id <>
In-reply-to <>
Ok, I'm convinced by your explanation.

> In message <>, Anthony writes:
>>Nevertheless,  John, are you sure that adding pass_headers option is a
>>really good idea?
>>Do the passing all http headers like others programs do and
>>which is conformed to http/cgi standard is a bad thing?

> Well we had and there is an open ticket for this:


> so I would say yes there can be exploits. I also hope that no program
> in the future will use HTTP_* as an environment variable but....

> Also didn't the shellshock bash bug depend on creating a specially
> crafted environment variable?

>>In this topic I see only one cons: "programming for safety
>>usually means to only let variables (or values if this applies)
>>pass through that are on a whitelist".

> Yup, that's where pass_headers came from. It's the whitelist.

> Have a great weekend.
> --
>                                 -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.

> ________________________________________________
> Roundup tracker <>
> <>
> ________________________________________________
Date User Action Args
2017-04-22 10:00:58antmailsetrecipients: + antmail, ber, rouilj, techtonik, jerrykan
2017-04-22 10:00:58antmaillinkissue2550837 messages
2017-04-22 10:00:58antmailcreate