Bug#47709: Some scripts way, way out of date
Package: cgi-scripts
Version: 1.0.9
Severity: Normal
My opinion, for what it may be worth, is that the example programs in
'cgi-scripts' are in several cases so far out of date that they represent
what are considered bad practice in modern CGI technique.
For example, the 'mailto.pl' script dating from 1995 is mostly an example
of how to crack a query string and exec 'sendmail,' neither of which are
especially good ideas. As of Perl 5, the 'CGI.pm' module is a standard
component and its use is strongly preferred instead of manually cracking
query strings. Also, invoking 'sendmail' is deprecated in favor of using
CPAN packages 'Mail::Mailer' or at least 'Net::SMTP' now. Anyone who
actually tried using the supplied 'mailto.pl' script as an example of how
to write a CGI program would be wasting their time.
The 'archie' and 'wais.pl' scripts depend upon the '<ISINDEX>' technique,
which is formally deprecated by W3C and badly supported by CGI tools; see
the HTML4 spec http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.8
on this subject. There does not seem to be any Debian package for WAIS,
which makes the 'wais.pl' script from 1994 rather useless.
Some of the dependencies are not worked out correctly. For example, the
'mailto.pl' script depends upon 'sendmail,' the 'archie' script depends
upon 'archie,' the 'fortune' script depends upon 'fortune,' and so on.
The approach of simply wrapping a system binary with a shell script and
making it directly accessible through the web server is not generally
regarded as a sound practice today from a security point of view, and this
is what the bulk of the package represents.
On the whole, as examples of how to write CGI programs, it is my opinion
that the package in its current state probably does more harm than good.
If no one is going to do a wholesale revision, the package should dropped.
-- Mike
Reply to: