Skip Menu |
 

This queue is for tickets about the CGI-Application CPAN distribution.

Report information
The Basics
Id: 84403
Status: resolved
Priority: 0/
Queue: CGI-Application

People
Owner: mcgrath.martin [...] gmail.com
Requestors: tomas.zemres [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 4.50
Fixed in:
  • 4.50_50
  • 4.50_51



Subject: Security problem: missing "start" mode dumps ENV to output page
Download (untitled) / with headers
text/plain 368b
If I forgot assign runmode "start", it internally calls "dump_html" instead. It print $ENV into HTTP response. In devel-environment it may be usefull, but in production mode it may be security-problem. Better would be display some like "HTTP 500 Internal Server Error" about missing run-mode/start-mode instead of dump server $ENV to website users on production-env.
From: tnt [...] netsafe.cz
Maybe better default start-mode may render: 404 Page Not Found
Thanks for the report.
From: mcgrath.martin [...] gmail.com
Download (untitled) / with headers
text/plain 160b
On Wed Apr 03 13:37:24 2013, MARKSTOS wrote: Show quoted text
> Thanks for the report.
Pull request to address this issue: https://github.com/markstos/CGI--Application/pull/15
Download (untitled) / with headers
text/plain 103b
Fixed in dev releases, 4.50_50, 4.50_51 and the 4.60 release: https://metacpan.org/pod/CGI::Application


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.