On 05/02/2015 18:49, Jorj Bauer wrote: > That change was apparently put in place in 2009: > >> 5682cfcd (fitterhappier 2009-02-26 21:36:44 +0000 8) #define >> ACV_FLAG_DEFAULTS 0 > > The change log for that commit says: > >> commit 5682cfcd772193c4282239d2f6494c3fab453f9e >> Author: fitterhappier <fitterhappier> >> Date: Thu Feb 26 21:36:44 2009 +0000 >> >> Added flags to allowing enabling/disabling parsing quotes and >> backslashes. > > > So yes, it was clearly intentional; and it looks like it should also be > handling quotes properly. Can you send me a config file that's being > improperly parsed?
We could but it would make little sense to you since the requirement for the parsing of quoted strings is a result of local patch. We define a number of error text strings in the config file, which allow us to change and tailor the errors on the cgi output without recompiling the cgi. With the change of that flag from 3.0.0 source it was parsing the strings only up to the first space. Setting the default flags to 2 (or 3) resolves the problem. We were just wondering why the default flags had been changed between releases in case we were re-introducing a vulnerability. > -- Jorj > > > > On Feb 5, 2015, at 7:32 AM, <gavin.g...@ed.ac.uk> <gavin.g...@ed.ac.uk> wrote: > >> Hi there, >> >> We have been investigating upgrading from cosign 3.0.0 to 3.2.0, but have >> found an odd issue with the parsing of the cosign.conf file in realtion >> to the set keyword: >> >> We used to be able to do >> >> set key "value with spaces in it" >> >> and the config value would indeed be the string:value with spaces in it >> >> however now the value seems to be:"value >> >> ie it's truncated at the first white space and the parsing code no longer >> picks up the double quote as being significant. >> >> I think the macro definition in argcargv.h is different >> >> #define ACV_FLAG_DEFAULTS 3 is now >> #define ACV_FLAG_DEFAULTS 0 >> >> Can I safely set it back to 3 or even two? Or is there implications I >> dshould be aware of? >> >> many thanks, >> >> Gavin Gray >> University of Edinburgh >> IT Infrastructure Division >> Information Services >> James Clerk Maxwell Building >> The Kings Buildings >> Peter Guthrie Tait Road >> Edinburgh >> EH9 3FD >> UK >> tel +44 (0)131 650 5987 >> email gavin.g...@ed.ac.uk >> >> -- >> The University of Edinburgh is a charitable body, registered in >> Scotland, with registration number SC005336. >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming. The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> Cosign-discuss mailing list >> Cosign-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Cosign-discuss mailing list > Cosign-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > -- Graeme Wood, Unix Section of the IT Infrastructure Division, Information Services, The University of Edinburgh Email: graeme.w...@ed.ac.uk Phone: +44 131 650 5003 Fax: +44 131 650 6552 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
