Opened 6 years ago

Closed 6 years ago

#5269 closed bug (wontfix)

RTS flag decoding broken

Reported by: augustss Owned by:
Priority: normal Milestone:
Component: Runtime System Version: 7.0.4
Keywords: Cc: pho@…
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: None/Unknown Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s):
Wiki Page:


Some misguided security paranoia seems to have turned off a lot of the flag decoding done by the RTS, unless the program is compile with -rtsopts. This is very annoying, because for 99% of the use cases you want the flag decoding on. You should cater for the common case, not the uncommon case. So my suggestion is to make -rtsopts the default, and have a flag to turn it off.

Change History (2)

comment:1 Changed 6 years ago by PHO

Cc: pho@… added

comment:2 Changed 6 years ago by simonmar

Resolution: wontfix
Status: newclosed

I sympathise. But the basic problem is that when used as a CGI script, the command-line arguments come from an untrusted source, and most people wouldn't know that they need to use -no-rtsopts with CGI. Furthermore the consequences could be disastrous, so I don't think we had much choice here - placing the responsibility on the user to close a security hole explicitly with an obscure flag is just wrong.

See also #3910.

Note: See TracTickets for help on using tickets.