Package: cgi-scripts Version: 1.0.9 Severity: Normal My opinion, for what it may be worth, is that the example programs in 'cgi-scripts' are in several cases so far out of date that they represent what are considered bad practice in modern CGI technique.
For example, the 'mailto.pl' script dating from 1995 is mostly an example of how to crack a query string and exec 'sendmail,' neither of which are especially good ideas. As of Perl 5, the 'CGI.pm' module is a standard component and its use is strongly preferred instead of manually cracking query strings. Also, invoking 'sendmail' is deprecated in favor of using CPAN packages 'Mail::Mailer' or at least 'Net::SMTP' now. Anyone who actually tried using the supplied 'mailto.pl' script as an example of how to write a CGI program would be wasting their time. The 'archie' and 'wais.pl' scripts depend upon the '<ISINDEX>' technique, which is formally deprecated by W3C and badly supported by CGI tools; see the HTML4 spec http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.8 on this subject. There does not seem to be any Debian package for WAIS, which makes the 'wais.pl' script from 1994 rather useless. Some of the dependencies are not worked out correctly. For example, the 'mailto.pl' script depends upon 'sendmail,' the 'archie' script depends upon 'archie,' the 'fortune' script depends upon 'fortune,' and so on. The approach of simply wrapping a system binary with a shell script and making it directly accessible through the web server is not generally regarded as a sound practice today from a security point of view, and this is what the bulk of the package represents. On the whole, as examples of how to write CGI programs, it is my opinion that the package in its current state probably does more harm than good. If no one is going to do a wholesale revision, the package should dropped. -- Mike
