From owner-freebsd-cvsweb@FreeBSD.ORG Wed Aug 29 07:09:31 2007 Return-Path: Delivered-To: freebsd-cvsweb@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F3F116A419 for ; Wed, 29 Aug 2007 07:09:31 +0000 (UTC) (envelope-from gael.vittu-ext@cnamts.fr) Received: from smtp-out2.ext.cnamts.fr (smtp-out2.ext.cnamts.fr [81.255.27.202]) by mx1.freebsd.org (Postfix) with ESMTP id 10A4713C442 for ; Wed, 29 Aug 2007 07:09:30 +0000 (UTC) (envelope-from gael.vittu-ext@cnamts.fr) Received: from mta22.crip.cnamts.fr ([55.36.163.33]) by mta-out21.dmz.crip.cnamts.fr (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0JNI00KCRUF5VQ@mta-out21.dmz.crip.cnamts.fr> for freebsd-cvsweb@FreeBSD.org; Wed, 29 Aug 2007 08:09:05 +0200 (CEST) Received: from mta22-admin.crip.cnamts.fr (mta22.crip.cnamts.fr [55.36.163.33]) by mta22.crip.cnamts.fr (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0JNI00J5GUF56M@mta22.crip.cnamts.fr> for freebsd-cvsweb@FreeBSD.org; Wed, 29 Aug 2007 08:09:05 +0200 (CEST) Received: from [127.0.0.1] ([55.24.1.60]) by mta22.crip.cnamts.fr (iPlanet Messaging Server 5.2 Patch 2 (built Jul 142004)) with ESMTPA id <0JNI00DO6UF2UB@mta22.crip.cnamts.fr>; Wed, 29 Aug 2007 08:09:05 +0200 (CEST) Date: Wed, 29 Aug 2007 08:08:24 +0200 From: =?windows-1250?Q?Ga=EBl_Vittu?= In-reply-to: <1EA6EF878B09DC44892FD9C2BE4D68421A2654@SNEDCPMS01.internal.timbrasil.com.br> To: Thiago Lacerda Zago Message-id: <46D50D58.8020009@cnamts.fr> Organization: CNAMTS - CNQD - Grenoble MIME-version: 1.0 Content-type: text/plain; charset=utf-8; format=flowed Content-transfer-encoding: quoted-printable User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) References: <1EA6EF878B09DC44892FD9C2BE4D68421A2654@SNEDCPMS01.internal.timbrasil.com.br> Cc: freebsd-cvsweb@FreeBSD.org Subject: Re: cvsweb authentication implementation X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Aug 2007 07:09:31 -0000 Hello, This message comes to you because Perl is lauched in 'tainted' mode (1st=20 line on cvsweb.cgi =3D> -T) To use variables, you'll have to check it before using it. In my version of CVSWeb, i've got to read configuration files so that=20 users can use their own profiles. Let say that '$myvar' is the name of=20 that profile. I have to add '.conf' to create the name of the fonc file: Try this: if ($myvar =3D~ /^([-\@\w.]+)$/) { $myvar =3D "$myvar" . ".conf"; # $myvar is now clean (perl option -T) } If your interrested with my version so that your users can create their=20 own profiles, let me now. Ga=C3=ABl Thiago Lacerda Zago a =C3=A9crit : > Hi, > > =20 > > I=E2=80=99m implementing let me say sort of authentication in cvsweb so= that only our permitted staff could use this tool through our intranet. > > =20 > > I=E2=80=99m doing so reading php session that the starting page that= calls cvsweb.cgi. and using PHP::Session to retrieve the user provided= data. Then I=E2=80=99m propagating the session id through all cvsweb.cgi= links through method get and cgi param(). > > =20 > > I almost done with this task but now I am facing a problem that I was not= able to solve yet. > > =20 > > When I click in the link that follows the icon to show the revisions= graphically, the reference link is http://xxx/cgi-bin/= /cvsweb.cgi/dcn_cor/router.db?graph=3D1;sid=3D5s4gj964cd4c2j88ljsxz3qopr > > Where sid=3D5s4gj964cd4c2j88ljsxz3qopr in this case is the php session id= that I=E2=80=99m sending along the link http://xxx/cgi-bin/= /cvsweb.cgi/dcn_cor/router.db?graph=3D1 so that the graph page could be= authenticated and allowed to be displayed as well. > > =20 > > The problem is that I keep getting this error message. > > > :: Error :: > > > Error: '/usr/bin/cvsgraph -r /usr/local/rancid/var/CVS -m= dcn_cor/configs/ -i -M CvsGraphMap -x x -Omap_branch_href=3D"href= =3D\"./?only_with_tag=3D%(%t%);sortby=3Ddate\"" -Omap_rev_href=3D"href= =3D\"?rev=3D%(%R%);sortby=3Ddate\"" -Omap_diff_href=3D"href= =3D\"%(0.000000%).diff?sid=3D5s4gj964cd4c2j88ljsxz3qopr;r1=3D%(%P%);r2= =3D%(%R%);sortby=3Ddate\"" -c /etc/cvsgraph.conf router005,v' failed:= Insecure dependency in exec while running with -T switch at= /usr/lib/perl5/site_perl/5.8.0/IPC/Run.pm line 1272. at= /xxx/www/cgi-bin/cvsweb.cgi line 4545=20 > > =20 > > The customized to accomplish this is sub doGraphView() > > =20 > > The funny thing is that this error occurs only when I add a ?sid=3D$id to= the array @graph_cmd as shown right below. > > =20 > > my @graph_cmd =3D > > ($CMD{cvsgraph}, > > '-r', $cvsroot, > > '-m', $pathname, > > '-i', > > '-M', $mapname, > > '-x', 'x', > > "-Omap_branch_href=3D\"href=3D\\\"./?only_with_tag= =3D%(%t%)$notag_query\\\"\"", > > "-Omap_rev_href=3D\"href=3D\\\"?rev=3D%(%R%)$barequery\\\"\"", > > "-Omap_diff_href=3D\"href=3D\\\"%(%F%).diff" . > > "?sid=3D$id;r1=3D%(%P%);r2=3D%(%R%)$barequery\\\"\"" , > > ); > > =20 > > If I do the same thing but this time manually writing the var ?sid= =3D5s4gj964cd4c2j88ljsxz3qopr it just works fine and no error is issued at= all. > > =20 > > my @graph_cmd =3D > > ($CMD{cvsgraph}, > > '-r', $cvsroot, > > '-m', $pathname, > > '-i', > > '-M', $mapname, > > '-x', 'x', > > "-Omap_branch_href=3D\"href=3D\\\"./?only_with_tag= =3D%(%t%)$notag_query\\\"\"", > > "-Omap_rev_href=3D\"href=3D\\\"?rev=3D%(%R%)$barequery\\\"\"", > > "-Omap_diff_href=3D\"href=3D\\\"%(%F%).diff" . > > "?sid=3D5s4gj964cd4c2j88ljsxz3qopr;r1=3D%(%P%);r2= =3D%(%R%)$barequery\\\"\"" , > > ); > > =20 > > Any hint to how to solve this problem and/or a better solution to= implementing a cvsweb authentication? > > =20 > > Thanks in advance. > > =20 > > Thiago Zago=20 > > =20 > > > No virus found in this outgoing message. > Checked by AVG Free Edition.=20 > Version: 7.5.484 / Virus Database: 269.12.10/976 - Release Date:= 27/8/2007 18:20 > =20 > _______________________________________________ > freebsd-cvsweb@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb > To unsubscribe, send any mail to "freebsd-cvsweb-unsubscribe@freebsd.org" > > > =20 --=20 Ga=C3=ABl VITTU - DDSI/DIQ/DRI 04.76.69.43.91 ***************************************************** "Le contenu de ce courriel et ses eventuelles pi=C3=A8ces jointes sont confidentiels. Ils s'adressent exclusivement =C3=A0 la personne= destinataire. Si cet envoi ne vous est pas destin=C3=A9, ou si vous l'avez re=C3=A7u par= erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre =C3=A0 d'autres personnes ni le reproduire. Merci de le= renvoyer =C3=A0 l'=C3=A9metteur et de le d=C3=A9truire. Attention : L'Organisme de l'=C3=A9metteur du message ne pourra =C3=AAtre= tenu responsable de l'alt=C3=A9ration du pr=C3=A9sent courriel. Il appartient au destinataire de v=C3=A9rifier= que les messages et pi=C3=A8ces jointes re=C3=A7us ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses =C3=A9ventuelles pi=C3=A8ces jointes sont celles de l'=C3=A9metteur. Elles ne refl=C3=A8tent pas la= position de l'Organisme sauf s'il en est dispos=C3=A9 autrement dans le pr=C3=A9sent courriel." ******************************************************