The following reply was made to PR general/2182; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Apache bugs database <[EMAIL PROTECTED]> Cc: Subject: Re: general/2182: test-cgi security flaw (fwd) Date: Tue, 5 May 1998 13:53:40 -0600 (MDT) ---------- Forwarded message ---------- Date: Tue, 05 May 1998 12:15:25 PDT From: wOrm sign <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: general/2182: test-cgi security flaw >Synopsis: test-cgi security flaw > >State-Changed-From-To: open-analyzed >State-Changed-By: marc >State-Changed-When: Tue May 5 08:32:47 PDT 1998 >State-Changed-Why: >What OS are you using? > >Are you sure you aren't using an old copy of test-cgi? > >The version distributed with Apache is _NOT_ vulnerable to >this problem unless you use a very broken shell. Note the: > ># disable filename globbing >set -f > >line. Hey, sorry about that. I'm mistaken. I downloaded the tar/gziped source this morning to make sure the bug still existed, without actually trying the script. I looked for quotes, and saw none, not thinking that a more robust solution might have been implemented. The test-cgi script I use on my home box is indeed very old. I'm not that familiar with this PR system, so maybe if you could close this for me... sorry again, Reuben ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
