Action address in HTML forms

Dominic Thoreau dominic.thoreau at
Wed Mar 4 10:59:12 GMT 2009

2009/3/3 David Cantrell <david at>:
> On Tue, Mar 03, 2009 at 05:48:40PM +0000, the hatter wrote:
>> I'd expect most frameworks to remove the URI distintion between html pages
>> and where scripts can execute
> I've always wondered what the point was of having a seperate /cgi-bin or
> equivalent.  I stopped doing that as soon as I switched to a web server
> that didn't enforce it.

Not that this is a justification for the sort of security lapse that
lets you get into this sort of situation,

If your website has any sort of functionality that involves uploading
of files, this could be seen as a point-of-last-resort safeguard
against code injection attacks.

Of course, you shouldn't be storing uploaded files anywhere in
world-accessible space (at least, not directly, without human and/or
comprehensive taint checking), but just best-practice doesn't always
happen in the wild.
No train here, but still:
The sign says: "Ready to Leave"
Normal service, yes?

More information about the mailing list