• Joshua Tauberer's avatar
    simplify how munin-cgi-graph is called to reduce the attack surface area · 35a360ef
    Joshua Tauberer authored
    Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
    
    Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
    35a360ef
Name
Last commit
Last update
conf Loading commit data...
management Loading commit data...
ppa Loading commit data...
setup Loading commit data...
tests Loading commit data...
tools Loading commit data...
.gitignore Loading commit data...
CHANGELOG.md Loading commit data...
CODE_OF_CONDUCT.md Loading commit data...
CONTRIBUTING.md Loading commit data...
LICENSE Loading commit data...
README.md Loading commit data...
Vagrantfile Loading commit data...
security.md Loading commit data...