Skip Menu |

This queue is for tickets about the Bryar CPAN distribution.

Report information
The Basics
Id: 5414
Status: rejected
Priority: 0/
Queue: Bryar
People
Owner: Nobody in particular
Requestors: russell [...] ccs.neu.edu
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 2.6
Fixed in: (no value)

History Show all quoted text
  Sun Feb 22 20:08:33 2004 Guest - Ticket created
Subject: generate does not handle bogus format requests
Requesting bogus formats does not trigger the appropriate error, and may cause security breaches. TT.pm registers the following formats: html, atom, xml, rss, and rdf. However, insofar as I can tell, only xml works correctly. Requesting other formats does not work, and causes Bryar.cgi to fall through to its default output method. Requesting bogus formats will also fall through to the default output method instead of triggering an error. Futhermore, for all requests of the form http://blog/blog.cgi/$FOO cause bryar.cgi to suck in the text files in whatever directory in which it happens to reside, and output a blog page. In other words, it forgets about $datadir. (except where $FOO is "xml", as mentioned before) This is bad! If you want to keep all your executable scripts in, say, your cgi-bin directory (like most people) but want to keep blog entries elsewhere, this will allow people to read text files from cgi-bin. This will more or less defeat the purpose cgi-bin.
  Tue Oct 19 00:59:44 2004 PLURAL [...] cpan.org - Correspondence added
From: Jason Gessner
[guest - Sun Feb 22 20:08:33 2004]: Show quoted text
> Requesting bogus formats does not trigger the appropriate error, and > may cause security breaches. >
... Show quoted text
> Futhermore, for all requests of the form > > http://blog/blog.cgi/$FOO > > cause bryar.cgi to suck in the text files in whatever directory in > which it happens to reside, and output a blog page. In other words, > it forgets about $datadir. (except where $FOO is "xml", as > mentioned before)
Hmmm. From your post I can't really duplicate the error. I guess it would be more appropriate to return a 404 for an invalid format since technically the request wasn't found. As for slurping in files from your cgi-bin, could you please provide me a test case/config/url? Thanks! -- -jason scott gessner jason@multiply.org http://www.multiply.org/
  Fri Apr 13 10:55:28 2007 dcantrell [...] cpan.org - Correspondence added
Show quoted text
> TT.pm registers the following formats: html, atom, xml, rss, and rdf. > However, insofar as I can tell, only xml works correctly.
RSS certainly works, so I'm marking this as *rejected*, but if you think it's still a bug in 3.0, please open a new ticket.
  Fri Apr 13 10:55:32 2007 The RT System itself - Status changed from 'new' to 'open'
  Fri Apr 13 10:55:34 2007 dcantrell [...] cpan.org - Status changed from 'open' to 'rejected'