[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap


--- Comment #34 from Rodney W. Grimes <[hidden email]> ---
<Rant Warning ON>
First off someone teach bugzilla that top posting this input box is just a
royal pain in the ass when your trying to reply to earlier posts, this whole
input box belongs at the BOTTOM of the page.

(In reply to Jilles Tjoelker from comment #31)
I support the idea that we may not want to take this to the extreme of a
sanatizer, how ever, I can not say that directly invoking /path/rc.d/foo is an
incorrect operation as that existed far longer than services(8).

(In reply to Devin Teske from comment #32)
Having services(8) be different than directly invoked scripts can be considered
a) a feature (It allows me to force feed ENV stuff) b) a bug cause it can cause
evil leaks or c) a POLA violation cause why should they be different.

Presently I believe we are in the a) state of affairs, and without additional
input we may wish to stay that way as changing it may cause a POLA issue.

(In reply to vas from comment #33)
I agree with you on the point that invoking rc.d scripts directly is NOT
incorrect procedure, see above at reply to #31

In summary my current position:
I am actually starting to come to the opinion that possibly the only action
that we should take AT THIS TIME is to place an env -i in the rc/fcigwrap
script to revoke its bad programming style of environment exposure to a cgi.
And to take
this idea of a general sanatizer to the next level == [hidden email]

You are receiving this mail because:
You are on the CC list for the bug.
[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"