From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12900 invoked by alias); 9 Oct 2003 21:51:24 -0000 Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: , Sender: overseers-owner@sources.redhat.com Received: (qmail 12884 invoked from network); 9 Oct 2003 21:51:23 -0000 Received: from unknown (HELO redhat.com) (66.187.230.200) by sources.redhat.com with SMTP; 9 Oct 2003 21:51:23 -0000 Received: by redhat.com (Postfix, from userid 201) id BF0E732A8A7; Thu, 9 Oct 2003 17:51:22 -0400 (EDT) Date: Thu, 09 Oct 2003 21:51:00 -0000 From: Christopher Faylor To: Gerald Pfeifer Cc: overseers@sources.redhat.com Subject: Re: bug in search engine Message-ID: <20031009215122.GC23269@redhat.com> Mail-Followup-To: Gerald Pfeifer , overseers@sources.redhat.com References: <20031009204947.GC22601@redhat.com> <20031009205803.GA23169@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-SW-Source: 2003-q4/txt/msg00055.txt.bz2 On Thu, Oct 09, 2003 at 11:22:32PM +0200, Gerald Pfeifer wrote: >On Thu, 9 Oct 2003, Christopher Faylor wrote: >>> Isn't that at the discretion of the form that is used to invoke the cgi? >>> Method="post", maybe? If so, I can fix this easily. >> That was it. I'm changing all of the search options to use 'method="post"'. >> That seems to work correctly. > >Nice detective work, thanks! > >> I've turned htsearch back on again. > >Security-wise this may be premature (if, and only if the problems is >exploitable): someone else could craft a form invoking our cgi-bin in >the original "bad" way -- and given the problem was mentioned on the >public gcc list I'd say there is a non-zero chance for someone trying. > >Or did I miss anyhing? The problem is fixed by using the post method. I thought that I'd have that fixed in all of the myriad places that this showed up but it is taking *forever*. So, I've turned it off again until this is finished. cgf