[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap

bugzilla-noreply
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185

--- Comment #34 from Rodney W. Grimes <[hidden email]> ---
<Rant Warning ON>
First off someone teach bugzilla that top posting this input box is just a
royal pain in the ass when your trying to reply to earlier posts, this whole
input box belongs at the BOTTOM of the page.
</Rant>

(In reply to Jilles Tjoelker from comment #31)
I support the idea that we may not want to take this to the extreme of a
sanatizer, how ever, I can not say that directly invoking /path/rc.d/foo is an
incorrect operation as that existed far longer than services(8).

(In reply to Devin Teske from comment #32)
Having services(8) be different than directly invoked scripts can be considered
a) a feature (It allows me to force feed ENV stuff) b) a bug cause it can cause
evil leaks or c) a POLA violation cause why should they be different.

Presently I believe we are in the a) state of affairs, and without additional
input we may wish to stay that way as changing it may cause a POLA issue.

(In reply to vas from comment #33)
I agree with you on the point that invoking rc.d scripts directly is NOT
incorrect procedure, see above at reply to #31

In summary my current position:
I am actually starting to come to the opinion that possibly the only action
that we should take AT THIS TIME is to place an env -i in the rc/fcigwrap
script to revoke its bad programming style of environment exposure to a cgi.
And to take
this idea of a general sanatizer to the next level == [hidden email]

--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"