On Sun, Jan 23, 2005 at 05:42:04PM -0500, pryzbyj wrote:
> tags 281655 patch
> thanks
>
> I've included a 2-line patch which implements some output
> sanitization. I can't find any other instance where this is a
> problem, but don't take my word for it; I haven't followed the code
> *that* closely.
>
> Since info filenames/titles can be named anything (which is a Good
> Thing), the way to handle this is to escape '<' (and '>' while we're
> at it). This prevents anyone from sticking any html anywhere.
>
> I would also like to see this code use perl -T (for testing, as well
> as for installation, I think). I will probably play with this later
> tonight.
>
> I've never used perl -T before and it may very well break this program
> horribly.
It broke it, but not horribly. The only complain (check apache's
error log) is about $ENV{'PATH'}. The Debian fix is to just set
$ENV{'PATH'}="/bin:/usr/bin" (or even just leave it untouched, maybe).
So, in addition to the previous patch, I suggest that the script runs
with #!/usr/bin/perl -T, and that the ENV variable is either set
absolutely, or not changed at all.
> Justin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
