Am 09.11.2006 05:28:18 schrieb(en) Junichi Uekawa:
Basically, I don't like the whole idea of having to handle
soap_use_proxy even in non-CGI environments. It's just so silly.
Hello Junichi,
after some searching I found information about the security risk which
is present in CGI programs.
Is there any case where apt-listbugs will be used in a CGI environment?
I think this security risk does does not apply to programs started by
the administrator in a terminal or an X windows environment, e.g.
aptitude.
Maybe you could set soap_use_proxy internally if http_proxy is set. If
the combination of soap_use_proxy=on and http_proxy is allowed, you
could even set soap_use_proxy without checking http_proxy.
I successfully ran (one time only) a modified version of apt-listbugs
0.0.63 with http_proxy set and soap_use_proxy unset.
Bodo
--- /usr/sbin/apt-listbugs.orig 2006-10-11 00:26:07.000000000 +0200
+++ /usr/sbin/apt-listbugs 2006-11-09 10:21:49.000000000 +0100
@@ -391,8 +391,11 @@
if ENV["HTTP_PROXY"] != nil && ENV["http_proxy"] == nil
raise $intl._("E: sanity check failed: environment variable
http_proxy is unset and HTTP_PROXY is set.")
end
- if ENV["http_proxy"] != nil && ENV["soap_use_proxy"] != "on"
- raise $intl._("E: sanity check failed: environment variable
http_proxy is set and soap_use_proxy is not 'on'.")
+ if ENV["HTTP_PROXY"] != nil && ENV["HTTP_PROXY"] !=
ENV["http_proxy"]
+ raise $intl._("E: sanity check failed: environment variables
http_proxy and HTTP_PROXY differ.")
+ end
+ if ENV["http_proxy"] != nil
+ ENV["soap_use_proxy"] = "on"
end
# http_proxy check
@@ -401,6 +404,7 @@
puts "proxy configuration from APT.CONF: #{$1}" if $DEBUG
if $1 == 'DIRECT'
puts "Disabling proxy due to DIRECT" if $DEBUG
+ ENV.delete("soap_use_proxy")
else
ENV["http_proxy"] = $1
ENV["soap_use_proxy"] = "on"