On 15-May-00 Jeremy Wadsack wrote:
> No. Don't do that. Please read the anlgform.pl file, the anlgform.html file,
> and
> the documentation on the form interface in the Analog docs. Then read a
> little
> about CGI scripting and security issues (NCSA's CGI tutorial is a good place
> to
> start).
>
> The Analog form interface is provided to cover a lot of potential security
> holes that approaches like yours can make happen. You shouldn't put Analog in
> a CGI directory because some severs will allow ANY command-line options to be
> passed on.
well the actual binary is somewhere in /usr/local/bin, the script is in the
cgi-bin.
> Your script will also produce invalid HTML (although your browser may
> render it as you expect it too).
The output looks fine to me, I even tried it in lynx with no errors.
So that explains why anlgform.pl has all this stuff in it. I wondered why one
couldn't just execute "analog" but know I know the answer...
I will take your advice and change it back to the anlgform.pl, because I think
security does matter.
Thanks for tha advice
--
DSS/DH cryptographic KeyID: 0x69C2B37B (PGP5) | http://ozone.dhs.org
Key fingerprint = 4FAF 6F70 B407 08AE 86EF AC0E 130E 932C 69C2 B37B
System Uptime: up 4 days, 18:53, load average: 0.11 0.08 0.08
------------------------------------------------------------------------
This is the analog-help mailing list. To unsubscribe from this
mailing list, send mail to [EMAIL PROTECTED]
with "unsubscribe" in the main BODY OF THE MESSAGE.
List archived at http://www.mail-archive.com/[email protected]/
------------------------------------------------------------------------
