dwww fails with "Insecure $ENV{IFS}" error

Daniel Martin Wed, 28 Sep 2005 20:33:06 -0700

Package: dwww
Version: 1.9.24
Severity: important
Tags: patch

When getting /cgi-bin/dwww?type=dir&location=/usr/share/doc on my
machine, my web browser gives me the following error:


Insecure $ENV{IFS} while running with -T switch at /usr/lib/cgi-bin/dwww
line 73.
HTTP/1.1 200 OK

I believe that this is not seen when using more full-featured http
daemons that clean the environment before running cgi scripts.  However,
my machine is running bozohttpd.

Here's a simple patch against /usr/lib/cgi-bin/dwww that fixes this
problem, and any other potentially insecure environment settings:

15a16,17
> %inenv          = %ENV;
> %ENV = ();
60c62
<       local $port = defined $ENV{'SERVER_PORT'} ? ':' . $ENV{'SERVER_PORT'} : 
'';
---
>       local $port = defined $inenv{'SERVER_PORT'} ? ':' . 
> $inenv{'SERVER_PORT'} : '';
62c64
<       print "Location: http://$ENV{'SERVER_NAME'}$port/dwww/\n\n";
---
>       print "Location: http://$inenv{'SERVER_NAME'}$port/dwww/\n\n";
87,88c89,90
<       if ($ENV{'REQUEST_METHOD'} eq "GET") { # a GET -- data in encoded string
<               $in = $ENV{'QUERY_STRING'};
---
>       if ($inenv{'REQUEST_METHOD'} eq "GET") { # a GET -- data in encoded 
> string
>               $in = $inenv{'QUERY_STRING'};
90,91c92,93
<       elsif ($ENV{'REQUEST_METHOD'} eq "POST") { # a POST -- data in variables
<               for ($i = 0; $i < $ENV{'CONTENT_LENGTH'}; $i++) {
---
>       elsif ($inenv{'REQUEST_METHOD'} eq "POST") { # a POST -- data in 
> variables
>               for ($i = 0; $i < $inenv{'CONTENT_LENGTH'}; $i++) {
95,96c97,98
<       elsif ($ENV{'REQUEST_METHOD'} eq "HEAD") {
<               $in = $ENV{'QUERY_STRING'};
---
>       elsif ($inenv{'REQUEST_METHOD'} eq "HEAD") {
>               $in = $inenv{'QUERY_STRING'};

-- System Information:
Debian Release: testing/unstable
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'testing')
Architecture: i386 (i586)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.9-mppe
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages dwww depends on:
ii  bozohttpd [httpd-cgi]         20050410-1 Bozotic HTTP server
ii  debconf [debconf-2.0]         1.4.57     Debian configuration management sy
ii  debianutils                   2.14.1     Miscellaneous utilities specific t
ii  doc-base                      0.7.18-0.1 utilities to manage online documen
ii  file                          4.12-1     Determines file type using "magic"
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  man-db                        2.4.3-1    The on-line manual pager
ii  menu                          2.1.25     generates programs menu for all me
ii  perl                          5.8.7-3    Larry Wall's Practical Extraction 
ii  realpath                      1.9.24     Return the canonicalized absolute 

Versions of packages dwww recommends:
ii  apt                           0.5.28.6   Advanced front-end for dpkg
ii  dlocate                       0.5-0.1    fast alternative to dpkg -L and dp
ii  info2www                      1.2.2.9-23 Read info files with a WWW browser


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#330663: /usr/lib/cgi-bin/dwww fails with "Insecure $ENV{IFS}" error

Reply via email to