----- Original Message ----- From: "Thomas Eibner" <[EMAIL PROTECTED]> Subject: Re: Mitigating XSS in the mod_perl API
> On Mon, Jan 27, 2003 at 02:45:13PM +0000, Matt Sergeant wrote: > > On Mon, 27 Jan 2003, Thomas Eibner wrote: > > > > > So, because a programmer doesn't check the validity of the input he gets > > > it's a bug that should be fixed in Apache? Maybe someone should make > > > sure that the same thing can't happen with allowing CGI input going > > > straight into a form.. oh wait. > > > I don't see anyone from dev@httpd wanting to "fix" this bogus error when > > > it's really just doing what the programmer wants to do (when he is not > > > validating the input). > > > > The programmer wants to output a header. If he accidentally tries to > > output something thats not a header he actually ends up outputting body. > > Thats a bug. > > I can see the validity of your point, but it's still a programmer error. > The same thing could happen if you did this as plain CGI and outputted > something you weren't supposed to do. Right - except that if he's outputting it raw from CGI, we can assume that he knows what he's doing, while if he's using a function which is DESIGNED to output a header (which should NOT have an extra \n), that's obviously either a mistake or a malicious misuse. Neither of which warrants the function doing what it was asked to do. If the programmer wants to intentionally bypass the "header_out" rule, he should bypass some more and send the headers himself. I know that sounds weak, but I've got to say that I side with Matt here. Issac --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
