Bug#1083186: marked as done (cdimage.debian.org: Perl warning for find_file.cgi)

Thu, 03 Oct 2024 14:27:26 -0700 

Your message dated Thu, 3 Oct 2024 22:23:28 +0100
with message-id <[email protected]>
and subject line Re: Bug#1083186: cdimage.debian.org: Perl warning for 
find_file.cgi
has caused the Debian Bug report #1083186,
regarding cdimage.debian.org: Perl warning for find_file.cgi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1083186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083186
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: cdimage.debian.org
X-Debbugs-Cc: [email protected]

Hi,

In cgi-grnet-01's Apache error log I found this:


CGI::param called in list context from 
/srv/cdimage-search.debian.org/cgi-bin/find_file.cgi line 316, this can lead to 
vulnerabilities. See the warning in "Fetching the value or values of a single named 
parameter" at /usr/share/perl5/CGI.pm line 414.
That's printed on every invocation of the script, so it'd be good to fix it. It is not invoked super often, but a clean error log would be better. :) 

Kind regards and thanks
Philipp Kern

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Hi Phil!

On Wed, Oct 02, 2024 at 09:59:05PM +0200, Philipp Kern wrote:
>Package: cdimage.debian.org
>X-Debbugs-Cc: [email protected]
>
>Hi,
>
>In cgi-grnet-01's Apache error log I found this:
>
>> CGI::param called in list context from 
>> /srv/cdimage-search.debian.org/cgi-bin/find_file.cgi line 316, this can lead 
>> to vulnerabilities. See the warning in "Fetching the value or values of a 
>> single named parameter" at /usr/share/perl5/CGI.pm line 414.
>
>That's printed on every invocation of the script, so it'd be good to fix it.
>It is not invoked super often, but a clean error log would be better. :)

Thanks for raising this. I've just pushed a new version with updates
which solve this problem.

-- 
Steve McIntyre, Cambridge, UK.                                [email protected]
"... the premise [is] that privacy is about hiding a wrong. It's not.
 Privacy is an inherent human right, and a requirement for maintaining
 the human condition with dignity and respect."
  -- Bruce Schneier

--- End Message ---

Reply via email to