Hi,
On Sat, Apr 18, 2015 at 05:20:44PM +0200, Volker Mische wrote:
Hi Ron,
I've read this bug report several times and it took my a while to understand
what the actual problem is. Do I summarize correctly that the problem is a
system wide installed CGI script that can serve up the gtags information for
several independent source code basis and that this script needs privileges
a normal user shouldn't have?
Given that with the GLOBAL 6.4 release the `--system-cgi` option is gone,
it's not longer possible to run it system wide. Does it mean that the
original issue isn't one anymore?
I've been using the Debian version for a while but now found
that it randomly drops symbols from the tags database when
indexing a large code base like parts of Android AOSP.
(The symbols are there when indexing a smaller part, so
it's not a parser issue.) This makes the Debian version
unusable. The current upstream version 6.5 works fine.
However, wrt to the issue blocking Debian from accepting the
update, my understanding is that it is still not fixed,
htags still dynamically generates CGI scripts.
What it should do instead is to have static CGI scripts
which read a generated data file. So that the CGI scripts
can be reviewed for security and can be installed in a place
where they are protected from modification.
The language here is quite explicit:
http://httpd.apache.org/docs/2.2/misc/security_tips.html#cgi
Personally I don't care about htags so I would be delighted
to see an updated Debian global package which just drops htags.
Johannes
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
