|Subject:||generate does not handle bogus format requests|
Requesting bogus formats does not trigger the appropriate error, and may cause security breaches. TT.pm registers the following formats: html, atom, xml, rss, and rdf. However, insofar as I can tell, only xml works correctly. Requesting other formats does not work, and causes Bryar.cgi to fall through to its default output method. Requesting bogus formats will also fall through to the default output method instead of triggering an error. Futhermore, for all requests of the formcause bryar.cgi to suck in the text files in whatever directory in which it happens to reside, and output a blog page. In other words, it forgets about $datadir. (except where $FOO is "xml", as mentioned before) This is bad! If you want to keep all your executable scripts in, say, your cgi-bin directory (like most people) but want to keep blog entries elsewhere, this will allow people to read text files from cgi-bin. This will more or less defeat the purpose cgi-bin.