Randal L. Schwartz wrote:
>>"Jonathan" == Jonathan Vanasco <[EMAIL PROTECTED]> writes:
>
>
> Jonathan> Randal didn't raise an report an new security threat -- he re-
> Jonathan> categorized an active bug discussion as a security threat.
>
> Just for the record, I'm now clear (thanks to new
> "Jonathan" == Jonathan Vanasco <[EMAIL PROTECTED]> writes:
Jonathan> Randal didn't raise an report an new security threat -- he re-
Jonathan> categorized an active bug discussion as a security threat.
Just for the record, I'm now clear (thanks to new information) that I handled
this poorly
On Mar 26, 2007, at 12:25 PM, Perrin Harkins wrote:
That's easy to say in this specific case, since the actual threat is
so tiny that it didn't make much difference. You guys probably
wouldn't think it was such a good idea if it had been a more serious
exploit and someone had used it to compro
On 3/26/07, Robert Landrum <[EMAIL PROTECTED]> wrote:
Despite the (perceived) violation of protocol, Randal's message did
light a fire under the asses of a lot of mod_perl developers, and made
known a potential security issue. I'd say that's mission accomplished.
That's easy to say in this spe
Chris Shiflett wrote:
That's a weak defense. If you're a proponent of full disclosure, say so,
but don't use ignorance as your defense in the same email where you
claim to not be a "dumb guy."
I am a dumb guy, and I would have done the exact same thing Randal did.
I just don't think about s
- Original Message -
From: "Chris Shiflett" <[EMAIL PROTECTED]>
To: "Randal L. Schwartz"
Cc: "Geoffrey Young" <[EMAIL PROTECTED]>; "Alex Solovey"
<[EMAIL PROTECTED]>;
Sent: Sunday, March 25, 2007 4:39 PM
Subject: Re: MP1 Se
Randal L. Schwartz wrote:
> I get around. I read various mailing lists. I'm not a dumb guy about
> Perl stuff. And by the way, I've already been yelled at. :)
>
> But this thing about "[EMAIL PROTECTED]" is something that I
> wouldn't have thought to look for.
That's a weak defense. If you're a p
> "Randal" == Randal L Schwartz writes:
Randal> However, for mp2, since the listed modules all use
Randal> ModPerl::RegistryCooker, and the problem is in there, my list is still
Randal> accurate.
Ugh. Yes, I see it now. While ModPerl::RegistryCooker has the problem, some
of the modules (li
On 3/23/07, Randal L. Schwartz wrote:
You're correct. It has been fixed in Apache::Registry for MP1. I'm sorry I
overlooked that last night. For mp1, it affects only users of
Apache::PerlRun.
However, for mp2, since the listed modules all use ModPerl::RegistryCooker,
and the problem is in th
On 3/23/07, Geoffrey Young <[EMAIL PROTECTED]> wrote:
as for mp2, nothing in the current distribution is affected -
ModPerl::Registry and ModPerl::PerlRun are both filesystem based and not
uri based. however, if you use RegistryCooker to roll your own
non-standard Registry handler and are using
> "Geoffrey" == Geoffrey Young <[EMAIL PROTECTED]> writes:
Michael> Not quite. It only affects people running PerlRun. Not insignificant,
Michael> but definitely not everyone.
>>
>> No, it affects users of all script-like things, both mod_perl1 (users of
>> Apache::Registry, Apache::PerlRun),
> Michael> Not quite. It only affects people running PerlRun. Not insignificant,
> Michael> but definitely not everyone.
>
> No, it affects users of all script-like things, both mod_perl1 (users of
> Apache::Registry, Apache::PerlRun), and mod_perl2 (users of ModPerl::PerlRun,
> ModPerl::PerlRunP
> I was able to reproduce this in mp1.
>
> for the interested, a fix has been put in place in svn for mod_perl 1.0,
> which you can grab from here:
>
> https://svn.apache.org/repos/asf/perl/modperl/branches/1.x/
>
> furthermore, as michael pointed out, the problem is isolated to
> Apache::Per
> "Michael" == Michael Peters <[EMAIL PROTECTED]> writes:
Michael> Randal L. Schwartz wrote:
>>> "Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>>
Alex> The problem is due to unescaped variable interpolation in regular
Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>>
> "Geoffrey" == Geoffrey Young <[EMAIL PROTECTED]> writes:
Geoffrey> this sensationalism was just flat-out irresponsible. I don't doubt
Geoffrey> that it's true, but not giving us dev folks time to address the
Geoffrey> issue with a security release is going to cause more headaches than
Geoff
Kjetil Kjernsmo wrote:
> On Friday 23 March 2007 14:57, Geoffrey Young wrote:
>
>>fwiw, I am unable to reproduce this in either mp1 or mp2 using what I
>>consider a basic setup.
>
>
> I have also failed to reproduce the problem on 2.0.3 with my setup.
> Also, we are very liberal on what kind of
On Friday 23 March 2007 14:57, Geoffrey Young wrote:
> fwiw, I am unable to reproduce this in either mp1 or mp2 using what I
> consider a basic setup.
I have also failed to reproduce the problem on 2.0.3 with my setup.
Also, we are very liberal on what kind of usernames, and thus what
special ch
Michael Peters wrote:
> Randal L. Schwartz wrote:
>
>>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>>
>>Alex> The problem is due to unescaped variable interpolation in regular
>>Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>>
>>I don't want to raise too many alarms, but
Randal L. Schwartz wrote:
>> "Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>
> Alex> The problem is due to unescaped variable interpolation in regular
> Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>
> I don't want to raise too many alarms, but this means that every MP1
Randal L. Schwartz wrote:
>>"Randal" == Randal L Schwartz writes:
>
>
>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>
> Alex> The problem is due to unescaped variable interpolation in regular
> Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>
> Randal> I don't wan
> "Fred" == Fred Moyer <[EMAIL PROTECTED]> writes:
Fred> The changes are ready for review on the dev list. I can dig up some
Fred> tuits to help with the release if needed, and I think we are pretty set
Fred> there patch wise for anyone who needs something right away.
Release*s* you mean?
F
Philip M. Gollucci wrote:
Perrin Harkins wrote:
On 3/22/07, Andy Armstrong <[EMAIL PROTECTED]> wrote:
$path_info = quotemeta $path_info;
my $script_name = $path_info && $self->{URI} =~ /$path_info$/
You can in-line that to avoid clobbering the original:
my $script_name = $path_inf
Perrin Harkins wrote:
On 3/22/07, Andy Armstrong <[EMAIL PROTECTED]> wrote:
$path_info = quotemeta $path_info;
my $script_name = $path_info && $self->{URI} =~ /$path_info$/
You can in-line that to avoid clobbering the original:
my $script_name = $path_info && $self->{URI} =~ /\Q$pa
On 3/22/07, Andy Armstrong <[EMAIL PROTECTED]> wrote:
$path_info = quotemeta $path_info;
my $script_name = $path_info && $self->{URI} =~ /$path_info$/
You can in-line that to avoid clobbering the original:
my $script_name = $path_info && $self->{URI} =~ /\Q$path_info\E$/
- Perrin
On 23 Mar 2007, at 03:49, Fred Moyer wrote:
Ok, help me out here Merlyn. Will this fix it?
I assume it needs to be quoted like this:
$path_info = quotemeta $path_info;
my $script_name = $path_info && $self->{URI} =~ /$path_info$/
[EMAIL PROTECTED] ~/dev/modperl/mod_perl-2.0 $ sv
> "Fred" == Fred Moyer <[EMAIL PROTECTED]> writes:
Fred> Ok, help me out here Merlyn. Will this fix it?
No, you want /\Q$path_info\E$/
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical
Randal L. Schwartz wrote:
"Randal" == Randal L Schwartz writes:
"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
Alex> The problem is due to unescaped variable interpolation in regular
Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
Randal> I don't want to raise too many ala
> "Randal" == Randal L Schwartz writes:
> "Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
Alex> The problem is due to unescaped variable interpolation in regular
Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
Randal> I don't want to raise too many alarms, but this means
28 matches
Mail list logo
