[Pkg-crosswire-devel] Diatheke CGI scripts
Daniel Glassey
dglassey at gmail.com
Sat Jan 24 21:15:44 GMT 2009
On Sat, Jan 24, 2009 at 7:53 PM, Jonathan Marsden <jmarsden at fastmail.fm> wrote:
> Daniel Glassey wrote:
>
>> After previous security issues with diatheke (CVE-2008-0932 and
>> CAN-2005-0015) it shouldn't be
>> easy to install without knowing what you are doing.But at the same
>> time e.g. it may be useful functionality to create a quick and simple
>> intranet bible site.
>
> Fixing up the CGI scripts to be security-sane per both
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-apps.html
> and http://www.w3.org/Security/Faq/wwwsf4.html would be a good thing to
> do, and might get us some kudos from upstream... is there someone on
> this team willing to take that on as "their" contribution to this
> effort? Not necessarily for immediate release into Jaunty, of course!
>
>> So a way to do that install the cgi scripts to
>> /usr/share/doc/diatheke/examples. Create a README.Debian for diatheke
>> that strongly recommends installing the cgi scripts on a public
>> webserver ...
>
> I hope you meant "strongly recommends *against* installing..." ? :)
Oops, definitely!
> This sounds fine to me, for now we can throw them into examples/ and
> mention doing so, and the security issues behind that, in README.Debian
> . Longer term, if we want to continue including them, I'd suggest we do
> the necessary work to make the code secure, and get that work accepted
> upstream.
Yes, as long as one of us knows enough perl to do what you suggest above.
> Just to be clear: no-one is suggesting that the diatheke command line
> client is in itself a security risk, right -- it is just the CGI scripts
> that are a concern?
Yes, that is all that has been a risk. (libsword and diatheke have not
been audited for security but are not known to have any issues).
Thanks,
Daniel
More information about the Pkg-crosswire-devel
mailing list