• Joshua Tauberer's avatar
    simplify how munin-cgi-graph is called to reduce the attack surface area · a14b1779
    Joshua Tauberer authored
    Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
    
    Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
    
    The vulnerability was created by 6d6f3ea3.
    
    See #914.
    
    This is the v0.19b hotfix commit.
    a14b1779
Name
Last commit
Last update
conf Loading commit data...
management Loading commit data...
ppa Loading commit data...
setup Loading commit data...
tests Loading commit data...
tools Loading commit data...
.gitignore Loading commit data...
CHANGELOG.md Loading commit data...
CONTRIBUTING.md Loading commit data...
LICENSE Loading commit data...
README.md Loading commit data...
Vagrantfile Loading commit data...
security.md Loading commit data...