fix SCRIPT_NAME to not disclose location on disk

deislabs / wagi

Write HTTP handlers in WebAssembly with a minimal amount of work

Apache License 2.0

889 stars 44 forks source link

fix SCRIPT_NAME to not disclose location on disk #111

Closed technosophos closed 3 years ago

technosophos commented 3 years ago

This closes an information disclosure hole in Wagi, and also makes it consistent with the letter of the CGI 1.1 RFC, though not with the intent of the RFC.

Signed-off-by: Matt Butcher matt.butcher@microsoft.com

technosophos commented 3 years ago

DO NOT MERGE YET! I just re-read the RFC and this is incorrect.