Stephen Turner
Mon, 25 Oct 1999 13:40:25 -0700
On Fri, 22 Oct 1999, Susan Alderman wrote: > > I'd vote for removing the CGI command - one of the things that analog > has going for it is that it's simple to use, simple to set up. When > you start getting into security issues like this, all of a sudden > it's NOT simple to use/set up and people are liable to get bitten. > > (Admit it - how many people out there really read ALL the docs?) > My point exactly. Thanks for your comments on this, Susan and others. My wife pointed out another option: to filter out all potentially-dangerous commands given on the command line, if CGI ON was specified. (Or probably, just to stop the program if one of those commands had been given, and CGI was ON). I'm sure this could be made to work. However, I still think that the neatest, and safest, solution is to remove the command CGI altogether. Then all the security issues can be devolved to anlgform. No-one has yet objected to this proposal. This is your last chance to do so! -- Stephen Turner [EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/ Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England "Due to the conflict in Kosovo, we will not be showing the movie Wag the Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless ------------------------------------------------------------------------ This is the analog-help mailing list. To unsubscribe from this mailing list, send mail to [EMAIL PROTECTED] with "unsubscribe analog-help" in the main BODY OF THE MESSAGE. List archived at http://www.mail-archive.com/analog-help@lists.isite.net/ ------------------------------------------------------------------------