Re: [Erlyaws-list] Two Small Patches for Yaws

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Sergei Golovan wrote:
> Hi!
> 
> I would like to submit two little patches to Yaws (BTW, it's an
> excellent piese of software!)
> 
> 1) Yaws 1.63 doesn't work with PHP version 4.3.2 or later (see
> http://bugs.php.net/bug.php?id=28227). These versions of PHP look at
> SCRIPT_FILENAME environment variable to find the filename.
> The patch simply defines this variable.
> 
> 2) It seems to me that module yaws_ctl is insecure. Now it's prefectly
> possible for local user to find yaws_ctl socket (usually there are
> only a few sockets which listen on localhost) and send the command to
> yaws_ctl, for example stopping the server (DoS attack).
> The patched Yaws uses simple cookie-based authentication. Cookie is
> stored in the same file as the port to connect. So, to be able to
> control Yaws the attacker must read the Yaws control file.
> 
> Both patches are attached (in a single file).

Very nice patches - thanks.

/klacke

-- 
Claes Wikstrom                        -- Caps lock is nowhere and
http://www.tail-f.com                 -- everything is under control
cellphone: +46 70 2097763