[icecast-dev] [PATCH] is it of any interest ?

Likai Liu news at likai.net
Wed Nov 7 07:34:24 PST 2001



Jack Moffitt wrote:

>I recommend that _no one_ run this patch on any server.  It allows
>execution access to any file on the system as the user that icecast is
>run as.  This is a surefire way to get yourself hacked to hell.
>
>The idea is nice, but you should really pay a lot more attention to
>security issues.  cgi's need to be run from a certain directory only.
>You shouldn't allow arbitrary files to be executed.  Also you need to
>pass a modified environment to the script in order for this to be real
>CGI.
>
that said, whenever possible, always let a web server do what it is 
worth, including serving cgi-bin scripts, dynamic webpages, or static 
content. let the webserver do everything other than streaming. i even 
strongly recommend using httpd to serve the static directory in icecast. 
if you're going to serve a lot of static files, this not only takes the 
load off icecast, httpd is also more fine tuned for performance, 
security, and standard compliance in this case.

most icecast servers uses port 8000, so it doesn't fight with a web server.

also, i have a question regarding patches ...

if i want to look for potential bugs and perhaps donate a bugfix, is it 
better to do it for the current stable release (1.3.11) or is it better 
to work on icecast 2.0? what is the development plan now?

liulk

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.



More information about the Icecast-dev mailing list