perl cgi problem

Discussion in 'Perl Misc' started by pfancy, Jul 8, 2004.

  1. pfancy

    Dave Cross Guest

    Which program did you check? And what problem do you think you have found?
    A few more details would be useful :)
    It can on every system it's been tried on but yours. If you gave us the
    details of your platform then we'll be happy to investigate your problem
    further.
    Well, it uses HTTP_REFERER for an optional (and largely deprecated)
    security feature. I'm pretty sure we document it as being weak.
    You're absolutely right. There was a problem with the web site. I've fixed
    that now.
    Yeah. That's inaccurate. We have contributions from experts all over the
    world - not just London :)
    Like I said above - we don't really advertise that as a security feature.
    Not only is it trivial to fake the HTTP_REFERER header, but we've noticed
    recently that many personal firewalls strip this header which makes that
    check useless. For that reason, formmail now ship with the
    $allow_empty_ref variable set to 1 which disables all referrer checking.

    So your current list of problems is:

    1/ POSIX doesn't seem to create usable timestamps on your platform.

    2/ You don't like a deprecated security feature.

    Is there anything else?

    Dave...
     
    Dave Cross, Jul 12, 2004
    #21
    1. Advertisements

  2. Taken from
    http://www.google.com/groups?selm=

    It looks as if Dave and co are doing a good job, and one that needed
    doing. All credit to him and his co-workers for that, and to
    exposing their development efforts to public scrutiny.
    [..]
    No matter that what they are claiming

    [viz. about the inadequacies in the original scripts]

    seems to be factually accurate, this detail of how they are
    presenting it is - in that respect - diplomatically unwise.

    It would be wiser for them to state what is available, and allow the
    public comments on how it stacks up against the opposition to emerge
    from others.

    I don't know how any sane person could interpret that as an accusation
    of spamming.
    Quite right
    Not really: I thought it was entirely justified; but politically
    unwise to emphasise it. The principle of "knocking copy", you know.

    I shall be glad when this troll-feeding frenzy fades out, to be
    honest. But I couldn't leave Dave to wield this particular clue-iron
    alone.[1]

    cheers

    [1] Or maybe that one: http://www.codesmiths.com/shed/things/clueiron/
     
    Alan J. Flavell, Jul 12, 2004
    #22
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.