W3C home > Mailing lists > Public > www-validator@w3.org > December 2002

Re: Installing 0.60 on Debian

From: Terje Bless <link@pobox.com>
Date: Fri, 13 Dec 2002 10:23:32 +0100
To: W3C Validator <www-validator@w3.org>
cc: Wim Fournier <w3c@hsmade.com>
Message-ID: <a01060007-1022-8CB669500E7C11D79AE800039300CF5C@[193.157.66.10]>

Wim Fournier <w3c@hsmade.com> wrote:

>*NOTE: I had to edit the /var/www/validator-0.60/cgi-bin/check to remove
>the -R line in the call for the sgml parser on line 476.

Please note that running onsgmls without the -R switch on a network-exposed
server opens you up to a file-disclosure vulnerability! Carefully crafted
input can be used to gain access to any file on the server that the user
running onsgmls (the web server user, most likely) has read access to.

We strongly advice against modifying the "check" CGI application this way!


-- 
"I don't want to learn to manage my anger;
 I want to FRANCHISE it!" -- Kevin Martin
Received on Friday, 13 December 2002 04:23:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:05 GMT