Hi, On Sat, Apr 18, 2015 at 05:20:44PM +0200, Volker Mische wrote: > Hi Ron, > > I've read this bug report several times and it took my a while to understand > what the actual problem is. Do I summarize correctly that the problem is a > system wide installed CGI script that can serve up the gtags information for > several independent source code basis and that this script needs privileges > a normal user shouldn't have? > > Given that with the GLOBAL 6.4 release the `--system-cgi` option is gone, > it's not longer possible to run it system wide. Does it mean that the > original issue isn't one anymore?
I've been using the Debian version for a while but now found that it randomly drops symbols from the tags database when indexing a large code base like parts of Android AOSP. (The symbols are there when indexing a smaller part, so it's not a parser issue.) This makes the Debian version unusable. The current upstream version 6.5 works fine. However, wrt to the issue blocking Debian from accepting the update, my understanding is that it is still not fixed, htags still dynamically generates CGI scripts. What it should do instead is to have static CGI scripts which read a generated data file. So that the CGI scripts can be reviewed for security and can be installed in a place where they are protected from modification. The language here is quite explicit: http://httpd.apache.org/docs/2.2/misc/security_tips.html#cgi Personally I don't care about htags so I would be delighted to see an updated Debian global package which just drops htags. Johannes -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
