On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote: > Which CGI are we talking about? Perhaps we can give more specific advice.
I guess you mean Online Python Tutor (#737732). Looking at the git repo, it includes a lot of embedded code copies of various JavaScript libraries and other code. As per policy 4.13 those should be packaged separately. https://wiki.debian.org/EmbeddedCodeCopies I see some places where it uses os.system(). That should switch to using the subprocess module with shell disabled. The idea of this software is a bit concerning to me, it sounds like it runs arbitrary Python code on the server and passes the results back to the web. I would suggest auditing it to ensure that it isn't one giant security hole. Please get CVEs for any issues that you find. http://oss-security.openwall.org/wiki/disclosure/cve -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6Fni3EyW1tO7rOzvGGH500g=NHJ=qftehrnnxotu-v...@mail.gmail.com
