Your message dated Thu, 3 Oct 2024 22:23:28 +0100 with message-id <20241003212328.GB9065@tack.einval.com> and subject line Re: Bug#1083186: cdimage.debian.org: Perl warning for find_file.cgi has caused the Debian Bug report #1083186, regarding cdimage.debian.org: Perl warning for find_file.cgi to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1083186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083186 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: cdimage.debian.org: Perl warning for find_file.cgi
- From: Philipp Kern <pkern@debian.org>
- Date: Wed, 2 Oct 2024 21:59:05 +0200
- Message-id: <[🔎] d4bbf769-7595-499d-a882-9dce971fc4d4@debian.org>
Package: cdimage.debian.org X-Debbugs-Cc: debian-admin@lists.debian.org Hi, In cgi-grnet-01's Apache error log I found this:CGI::param called in list context from /srv/cdimage-search.debian.org/cgi-bin/find_file.cgi line 316, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 414.That's printed on every invocation of the script, so it'd be good to fix it. It is not invoked super often, but a clean error log would be better. :)Kind regards and thanks Philipp KernAttachment: OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Philipp Kern <pkern@debian.org>, 1083186-done@bugs.debian.org
- Subject: Re: Bug#1083186: cdimage.debian.org: Perl warning for find_file.cgi
- From: Steve McIntyre <steve@einval.com>
- Date: Thu, 3 Oct 2024 22:23:28 +0100
- Message-id: <20241003212328.GB9065@tack.einval.com>
- In-reply-to: <[🔎] d4bbf769-7595-499d-a882-9dce971fc4d4@debian.org>
- References: <[🔎] d4bbf769-7595-499d-a882-9dce971fc4d4@debian.org>
Hi Phil! On Wed, Oct 02, 2024 at 09:59:05PM +0200, Philipp Kern wrote: >Package: cdimage.debian.org >X-Debbugs-Cc: debian-admin@lists.debian.org > >Hi, > >In cgi-grnet-01's Apache error log I found this: > >> CGI::param called in list context from /srv/cdimage-search.debian.org/cgi-bin/find_file.cgi line 316, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" at /usr/share/perl5/CGI.pm line 414. > >That's printed on every invocation of the script, so it'd be good to fix it. >It is not invoked super often, but a clean error log would be better. :) Thanks for raising this. I've just pushed a new version with updates which solve this problem. -- Steve McIntyre, Cambridge, UK. steve@einval.com "... the premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." -- Bruce Schneier
--- End Message ---