On Fri, 22 Oct 1999, Susan Alderman wrote:
>
> I'd vote for removing the CGI command - one of the things that analog
> has going for it is that it's simple to use, simple to set up. When
> you start getting into security issues like this, all of a sudden
> it's NOT simple to use/set up and people are liable to get bitten.
>
> (Admit it - how many people out there really read ALL the docs?)
>
My point exactly.
Thanks for your comments on this, Susan and others.
My wife pointed out another option: to filter out all potentially-dangerous
commands given on the command line, if CGI ON was specified. (Or probably,
just to stop the program if one of those commands had been given, and CGI
was ON).
I'm sure this could be made to work. However, I still think that the
neatest, and safest, solution is to remove the command CGI altogether. Then
all the security issues can be devolved to anlgform.
No-one has yet objected to this proposal. This is your last chance to do so!
--
Stephen Turner [EMAIL PROTECTED] http://www.statslab.cam.ac.uk/~sret1/
Statistical Laboratory, 16 Mill Lane, Cambridge CB2 1SB, England
"Due to the conflict in Kosovo, we will not be showing the movie Wag the
Dog. Instead, we will show Mortal Kombat: Annihilation." Cable & Wireless
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe analog-help" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/analog-help@lists.isite.net/
------------------------------------------------------------------------
