[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: intent to package Festival::Client Perl module

On Wed, 28 Oct 1998 13:28:52 -0800, Joey Hess <joey@kitenet.net> said:
> Note that running festival in server mode is an enourmous security
> hole. A festival server can be made to read and probably write to
> arbitrary files on the system.

Thanks, I didn't realize that (I don't know Scheme, all I've used so far
is the SayText function).  I'll put some words to this effect in the
package's description.

> I've talked to the authors about this, but they don't seem too
> interested in fixing it.

Perhaps they'd be amenable to adding an option which tells the server
the address to bind() to.  This would be a simple change and it would
allow one to restrict connections to localhost, at least.

Roderick Schertler

Reply to: