Hi,
yes, the Embperl list is the right address for such issues.
The problem is, that Embperl has no idea what the webroot is, so it’s not easy to change the error message the way you suggest.
For production sites it is better to use an Apache Error Document and don’t display the interal error message at all. The Embperl error page is intended for debugging, not for production use. See http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm <http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm> how to setup an Apache ErrorDocument.
I hope this helps
Regards
Gerald
Von: Wire Ghoul [mailto:wireghoul@gmail.com]
Gesendet: Dienstag, 7. Januar 2014 01:06
An: embperl@perl.apache.org
Betreff: Embperl security bug
Hello there,
I hope this is the right address for reporting this. I already reported it to debian, but it does not appear to have made it upstream to their perl maintainers list so I thought I would try a direct approach.
The embperl package reveals the full path of the webroot when displaying a 404 message. The offending code appears to exist at:
Embperl-2.4.0/epmain.c:137: case rcNotFound: msg ="[%d]ERR: %d: %s Not found '%s', searched: %s" ; break ;
Although there may be other instances as well. The full details can be found through the original Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996>
Cheers,
Eldar "Wireghoul" Marcussen
yes, the Embperl list is the right address for such issues.
The problem is, that Embperl has no idea what the webroot is, so it’s not easy to change the error message the way you suggest.
For production sites it is better to use an Apache Error Document and don’t display the interal error message at all. The Embperl error page is intended for debugging, not for production use. See http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm <http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm> how to setup an Apache ErrorDocument.
I hope this helps
Regards
Gerald
Von: Wire Ghoul [mailto:wireghoul@gmail.com]
Gesendet: Dienstag, 7. Januar 2014 01:06
An: embperl@perl.apache.org
Betreff: Embperl security bug
Hello there,
I hope this is the right address for reporting this. I already reported it to debian, but it does not appear to have made it upstream to their perl maintainers list so I thought I would try a direct approach.
The embperl package reveals the full path of the webroot when displaying a 404 message. The offending code appears to exist at:
Embperl-2.4.0/epmain.c:137: case rcNotFound: msg ="[%d]ERR: %d: %s Not found '%s', searched: %s" ; break ;
Although there may be other instances as well. The full details can be found through the original Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996>
Cheers,
Eldar "Wireghoul" Marcussen