Date: Sun, 4 Dec 2005 17:55:00 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Ceri Davies <ceri@FreeBSD.org> Cc: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: www/en send-pr.sgml www/en/cgi Makefile confirm-code.cgi sendpr-code.cgi Message-ID: <20051204165500.GF846@zaphod.nitro.dk> In-Reply-To: <200512041618.jB4GIeBf037651@repoman.freebsd.org> References: <200512041618.jB4GIeBf037651@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--lIrNkN/7tmsD/ALM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005.12.04 16:18:40 +0000, Ceri Davies wrote:
> ceri 2005-12-04 16:18:40 UTC
>=20
> FreeBSD doc repository
>=20
> Modified files:
> en send-pr.sgml=20
> en/cgi Makefile confirm-code.cgi=20
> Removed files:
> en/cgi sendpr-code.cgi=20
> Log:
> Refactor the "confirmation code" stuff into a general purpose script.
> =20
> confirm-code.cgi contains a preconfigured list of databases and their
> parameters. When a request comes in, the database in the request's 'db'
> parameter is checked for validity, and a code is generated, stored in
> the appropriate database and returned.
> =20
> Use this new script in send-pr.sgml and remove sendpr-code.cgi which is
> now superceded.
[...]
> | --- www/en/cgi/confirm-code.cgi 2005/11/11 08:58:06 1.5
> | +++ www/en/cgi/confirm-code.cgi 2005/12/04 16:18:40 1.6
[...]
> | @@ -22,52 +25,81 @@ my @availchars =3D qw(A B C D E F G H J K=20
> | $pnmcat =3D "/usr/local/bin/pnmcat";
> | $pnmtopng =3D "/usr/local/bin/pnmtopng";
> | $pnmdatadir =3D "../gifs/";
> | -$dbpath =3D "/tmp/sendpr-code.db";
> | -$expiretime =3D 2700; # seconds until code expires
> | +$expiretime =3D 0; # Default for the Expires: header
> | ############################################
> | =20
> | +# The code databases that we know about. If a query comes in for
> | +# anything else, we return a zero byte "image" (rather than an image
> | +# with a rude word in, which was tempting).
> | +
> | +%db =3D (
> | +# The querypr one is not used, but stands as an example.
> | +# querypr =3D> {
> | +# path =3D> '/tmp/querypr-code.db',
> | +# lifespan =3D> 2700,
> | +# },
> | + sendpr =3D> {
> | + path =3D> '/tmp/sendpr-code.db',
> | + lifespan =3D> 2700,
> | + },
> | +);
Could we put the database somewhere else, IE. not in a world writeable
directory, so we don't have obvious potential temporary file
vulnerabilities?
While the real problem is very small (since so few people have access
to www) I would on principle greatly prefer to have the database
somewhere else, e.g. under /usr/local/www/var/confirm-code ?
I can create the directory and set apropriate permimssions for this to
work.
--=20
Simon L. Nielsen
--lIrNkN/7tmsD/ALM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDkx9kh9pcDSc1mlERAj/dAJ9Gt/UDGV3vEfelHs/pbp4K5JJWegCdHvHU
4JaovD+HgDraFfFuJlFgU+8=
=N4zC
-----END PGP SIGNATURE-----
--lIrNkN/7tmsD/ALM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051204165500.GF846>