From mboxrd@z Thu Jan  1 00:00:00 1970
From: yngves@sourceware.cygnus.com
To: gnats-cvs@sourceware.cygnus.com
Subject: gnats/contrib/gnatsweb ChangeLog gnatsweb.pl
Date: Tue, 26 Jun 2001 12:13:00 -0000
Message-id: <20010626191331.26139.qmail@sourceware.cygnus.com>
X-SW-Source: 2001/msg00165.html
List-Id: <gnats-cvs.sourceware.org>

CVSROOT:	/cvs/gnats
Module name:	gnats
Changes by:	yngves@sources.redhat.com	2001-06-26 12:13:31

Modified files:
	contrib/gnatsweb: ChangeLog gnatsweb.pl 

Log message:
	(help_page): Fix a serious security hole where an attacker would be
	able to read any file on the system or run any command to which the
	web server process user had access to by submitting a rogue help_file
	parameter in the URL.  help_file is now hardcoded to 'gnatsweb.html'.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/gnats/contrib/gnatsweb/ChangeLog.diff?cvsroot=gnats&r1=2.23&r2=2.24
http://sources.redhat.com/cgi-bin/cvsweb.cgi/gnats/contrib/gnatsweb/gnatsweb.pl.diff?cvsroot=gnats&r1=2.33&r2=2.34