Paul Phillips has just noted that the file descriptors for the log files
are left open in NCSA 1.3, which might allow a malicious CGI script to
cover its tracks or wipe the log files entirely. It might be best to
just close all descriptors except for stdin, stdout, and stderr before
the exec() in cgi_stub(). The again, stderr is generally set to the
error log, and I generally consider that a feature, rather than a bug
(if a script screws up, you generally get useful info in the error_log).
Any thoughts?
rst
are left open in NCSA 1.3, which might allow a malicious CGI script to
cover its tracks or wipe the log files entirely. It might be best to
just close all descriptors except for stdin, stdout, and stderr before
the exec() in cgi_stub(). The again, stderr is generally set to the
error log, and I generally consider that a feature, rather than a bug
(if a script screws up, you generally get useful info in the error_log).
Any thoughts?
rst