From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31774 invoked by alias); 9 Oct 2003 21:22:31 -0000 Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: , Sender: overseers-owner@sources.redhat.com Received: (qmail 31744 invoked from network); 9 Oct 2003 21:22:29 -0000 Received: from unknown (HELO vexpert.dbai.tuwien.ac.at) (128.131.111.2) by sources.redhat.com with SMTP; 9 Oct 2003 21:22:29 -0000 Received: from [128.131.111.60] (acrux [128.131.111.60]) by vexpert.dbai.tuwien.ac.at (Postfix) with ESMTP id 62C581378A for ; Thu, 9 Oct 2003 23:22:28 +0200 (CEST) Date: Thu, 09 Oct 2003 21:22:00 -0000 From: Gerald Pfeifer To: overseers@sources.redhat.com Subject: Re: bug in search engine In-Reply-To: <20031009205803.GA23169@redhat.com> Message-ID: References: <20031009204947.GC22601@redhat.com> <20031009205803.GA23169@redhat.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SW-Source: 2003-q4/txt/msg00054.txt.bz2 On Thu, 9 Oct 2003, Christopher Faylor wrote: >> Isn't that at the discretion of the form that is used to invoke the cgi? >> Method="post", maybe? If so, I can fix this easily. > That was it. I'm changing all of the search options to use 'method="post"'. > That seems to work correctly. Nice detective work, thanks! > I've turned htsearch back on again. Security-wise this may be premature (if, and only if the problems is exploitable): someone else could craft a form invoking our cgi-bin in the original "bad" way -- and given the problem was mentioned on the public gcc list I'd say there is a non-zero chance for someone trying. Or did I miss anyhing? Gerald -- Gerald Pfeifer (Jerry) gerald@pfeifer.com http://www.pfeifer.com/gerald/