Headline
CVE-2020-35769: Always use IPv6 if a v6 address was given https://github.com/webmin/w… · webmin/webmin@1163f3a
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
@@ -2603,8 +2603,9 @@ sub handle_request
if ($on_windows) {
Run the CGI program, and feed it input
chdir($ENV{"PWD"});
local $qqueryargs = join(" ", map { “\"$_\"” }
split(/\s+/, $queryargs));
local $qqueryargs = join(" ",
map { s/([<>|&"^])/^$1/g; “\"$_\"” }
split(/\s+/, $queryargs));
if ($first =~ /(perl|perl.exe)$/i) {
On Windows, run with Perl
open(CGIOUTr, “$perl_path \"$full\” $qqueryargs <$infile |");