• Joshua Tauberer's avatar
    simplify how munin-cgi-graph is called to reduce the attack surface area · a14b1779
    Joshua Tauberer authored
    Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
    
    Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
    
    The vulnerability was created by 6d6f3ea3.
    
    See #914.
    
    This is the v0.19b hotfix commit.
    a14b1779
daemon.py 20.6 KB