[pkg-lighttpd] Bug#499334: lighttpd: CGI scripts only work for remoteip "127.0.0.1"

Rodrigo Campos rodrigocc at gmail.com
Sat Oct 4 02:33:08 UTC 2008


Package: lighttpd
Version: 1.4.19-5
Followup-For: Bug #499334

The fix allows CGI execution only from localhost. If you enabled cgi module you
probably don't want it to work only from localhost.

The Apache package also enables it for "anybody"

The attached patch should fix this.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (200, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lighttpd depends on:
ii  libattr1               1:2.4.43-1        Extended attribute shared library
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  libfam0                2.7.0-13.3        Client library to control the FAM 
ii  libldap-2.4-2          2.4.10-3          OpenLDAP libraries
ii  libpcre3               7.6-2.1           Perl 5 Compatible Regular Expressi
ii  libssl0.9.8            0.9.8g-13         SSL shared libraries
ii  libterm-readline-perl- 1.0302-1          Perl implementation of Readline li
ii  lsb-base               3.2-20            Linux Standard Base 3.2 init scrip
ii  mime-support           3.44-1            MIME files 'mime.types' & 'mailcap
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

lighttpd recommends no packages.

Versions of packages lighttpd suggests:
pn  apache2-utils                 <none>     (no description available)
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a
ii  rrdtool                       1.3.1-4    Time-series data storage and displ

-- no debconf information
-------------- next part --------------
--- 10-cgi.conf.orig	2008-10-03 23:18:47.000000000 -0300
+++ 10-cgi.conf	2008-10-03 23:20:01.000000000 -0300
@@ -6,12 +6,7 @@
 
 server.modules  += ( "mod_cgi" )
 
-$HTTP["remoteip"] =~ "127.0.0.1" {
-	alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )
-	$HTTP["url"] =~ "^/cgi-bin/" {
-		cgi.assign = ( "" => "" )
-	}
-}
+alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )
 
 $HTTP["url"] =~ "^/cgi-bin/" {
 	cgi.assign = ( "" => "" )


More information about the pkg-lighttpd-maintainers mailing list