[7221] in bugtraq
Re: ePerl: bad handling of ISINDEX queries
daemon@ATHENA.MIT.EDU (Tiago Luz Pinto)
Fri Jul 10 15:06:23 1998
Date: Fri, 10 Jul 1998 01:52:52 -0300
Reply-To: Tiago Luz Pinto <tiago@EPS.UFSC.BR>
From: Tiago Luz Pinto <tiago@EPS.UFSC.BR>
To: BUGTRAQ@NETSPACE.ORG
On Wed, 8 Jul 1998, Steve Willer wrote:
> To be honest, although I ended up not using ePerl, I would consider this
> mistake fairly understandable. I mean, I can't think of anywhere that
> still uses ISINDEX, so it's not that strange for it to fall out of a
> developer's mental space.
I don't agree with you on that. First, ISINDEX is well documented
in the CGI specification and ePerl claims that is CGI/1.1 compliant.
Second, if you want your software to work (not mentioning being secure),
you can't forget things that are written in the specs.
> I do want to make one point about the original bug report: If I read it
> correctly, then you will only be able to execute ePerl code, *not* Perl
> code. ePerl starts off in "plain text" mode, so anything until the
> ePerl-open tag will be output as plain text.
You'll be able to execute PERL code, since all that ePerl does
is putting a PERL "print" command in front of your HTML code and passing
it to the Perl interpreter along with the PERL code embedded in the page.
Another thing: this bug was found in the latest (2.2.12)
version of ePerl.
+----------------------------------------------------------------------+
| Tiago Luz Pinto tiago@eps.ufsc.br |
| |
| Network Administrator - Department of Production Engineering |
| Federal University of Santa Catarina - Brazil |
+----------------------------------------------------------------------+
