CGI::Application and recent bash security hole
Dagfinn Ilmari Mannsåker
ilmari at ilmari.org
Thu Sep 25 17:50:54 BST 2014
[Sorry for the empty response, I fat-fingered]
gvim <gvimrc at gmail.com> writes:
> I built a site several years ago with CGI::Application which runs in
> cgi, not psgi mode. Is it likely to be vulnerable to the recent bash
> security hole which I understand revolves around setting ENV variables?
If you ever end up invoking bash you will be vulnerable, since CGI
passes the HTTP headers as HTTP_* environment variables.
Remember that Perl's system()¹ , as well as C's system() and popen()
invoke /bin/sh, which may or may not be bash (it is on RedHat-like
systems, but not on Debian-like systems, for example).
[1]: If it's passed a single argument which contains shell metacharacters
--
- Twitter seems more influential [than blogs] in the 'gets reported in
the mainstream press' sense at least. - Matt McLeod
- That'd be because the content of a tweet is easier to condense down
to a mainstream media article. - Calle Dybedahl
More information about the london.pm
mailing list