On Sun, Jan 23, 2005 at 05:42:04PM -0500, pryzbyj wrote: > tags 281655 patch > thanks > > I've included a 2-line patch which implements some output > sanitization. I can't find any other instance where this is a > problem, but don't take my word for it; I haven't followed the code > *that* closely. > > Since info filenames/titles can be named anything (which is a Good > Thing), the way to handle this is to escape '<' (and '>' while we're > at it). This prevents anyone from sticking any html anywhere. > > I would also like to see this code use perl -T (for testing, as well > as for installation, I think). I will probably play with this later > tonight. > > I've never used perl -T before and it may very well break this program > horribly. It broke it, but not horribly. The only complain (check apache's error log) is about $ENV{'PATH'}. The Debian fix is to just set $ENV{'PATH'}="/bin:/usr/bin" (or even just leave it untouched, maybe).
So, in addition to the previous patch, I suggest that the script runs with #!/usr/bin/perl -T, and that the ENV variable is either set absolutely, or not changed at all. > Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]