[Pkg-crosswire-devel] Diatheke CGI scripts

Jonathan Marsden jmarsden at fastmail.fm
Sat Jan 24 19:53:40 GMT 2009


Daniel Glassey wrote:

> After previous security issues with diatheke (CVE-2008-0932 and
> CAN-2005-0015) it shouldn't be
> easy to install without knowing what you are doing.But at the same
> time e.g. it may be useful functionality to create a quick and simple
> intranet bible site.

Fixing up the CGI scripts to be security-sane per both
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-apps.html
and http://www.w3.org/Security/Faq/wwwsf4.html would be a good thing to
do, and might get us some kudos from upstream... is there someone on
this team willing to take that on as "their" contribution to this
effort?  Not necessarily for immediate release into Jaunty, of course!

> So a way to do that install the cgi scripts to
> /usr/share/doc/diatheke/examples. Create a README.Debian for diatheke
> that strongly recommends installing the cgi scripts on a public
> webserver ...

I hope you meant "strongly recommends *against* installing..." ? :)

This sounds fine to me, for now we can throw them into examples/ and
mention doing so, and the security issues behind that, in README.Debian
.  Longer term, if we want to continue including them, I'd suggest we do
the necessary work to make the code secure, and get that work accepted
upstream.

Just to be clear: no-one is suggesting that the diatheke command line
client is in itself a security risk, right -- it is just the CGI scripts
that are a concern?

Jonathan




More information about the Pkg-crosswire-devel mailing list