From 50324a604c3f3c83fcbc4eb6a4783b26a0bcb5a6 Mon Sep 17 00:00:00 2001 From: Alex Martelli Date: Sun, 9 Nov 2003 16:31:18 +0000 Subject: Avoid giving advice that's bad for security, as per SF bug #823515 (same as commit of Sun Nov 2 to the release23-maint branch) --- Doc/lib/libcgi.tex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Doc/lib/libcgi.tex b/Doc/lib/libcgi.tex index 055f66c..add322d 100644 --- a/Doc/lib/libcgi.tex +++ b/Doc/lib/libcgi.tex @@ -598,7 +598,9 @@ Usually, this means using absolute path names --- \envvar{PATH} is usually not set to a very useful value in a CGI script. \item When reading or writing external files, make sure they can be read -or written by every user on the system. +or written by the userid under which your CGI script will be running: +this is typically the userid under which the web server is running, or some +explicitly specified userid for a web server's \samp{suexec} feature. \item Don't try to give a CGI script a set-uid mode. This doesn't work on most systems, and is a security liability as well. -- cgit v0.12