This is the mail archive of the
gnats-cvs@sources.redhat.com
mailing list for the GNATS project.
gnats/contrib/gnatsweb ChangeLog gnatsweb.pl
- To: gnats-cvs at sourceware dot cygnus dot com
- Subject: gnats/contrib/gnatsweb ChangeLog gnatsweb.pl
- From: yngves at sourceware dot cygnus dot com
- Date: 26 Jun 2001 19:13:31 -0000
CVSROOT: /cvs/gnats
Module name: gnats
Changes by: yngves@sources.redhat.com 2001-06-26 12:13:31
Modified files:
contrib/gnatsweb: ChangeLog gnatsweb.pl
Log message:
(help_page): Fix a serious security hole where an attacker would be
able to read any file on the system or run any command to which the
web server process user had access to by submitting a rogue help_file
parameter in the URL. help_file is now hardcoded to 'gnatsweb.html'.
Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/gnats/contrib/gnatsweb/ChangeLog.diff?cvsroot=gnats&r1=2.23&r2=2.24
http://sources.redhat.com/cgi-bin/cvsweb.cgi/gnats/contrib/gnatsweb/gnatsweb.pl.diff?cvsroot=gnats&r1=2.33&r2=2.34