From owner-cvs-all@FreeBSD.ORG Sun Dec 4 16:55:02 2005 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82AE716A41F; Sun, 4 Dec 2005 16:55:02 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7BC243D5F; Sun, 4 Dec 2005 16:55:01 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id B09FD114AF; Sun, 4 Dec 2005 17:55:00 +0100 (CET) Date: Sun, 4 Dec 2005 17:55:00 +0100 From: "Simon L. Nielsen" To: Ceri Davies Message-ID: <20051204165500.GF846@zaphod.nitro.dk> References: <200512041618.jB4GIeBf037651@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lIrNkN/7tmsD/ALM" Content-Disposition: inline In-Reply-To: <200512041618.jB4GIeBf037651@repoman.freebsd.org> User-Agent: Mutt/1.5.11 Cc: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: www/en send-pr.sgml www/en/cgi Makefile confirm-code.cgi sendpr-code.cgi X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2005 16:55:02 -0000 --lIrNkN/7tmsD/ALM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.12.04 16:18:40 +0000, Ceri Davies wrote: > ceri 2005-12-04 16:18:40 UTC >=20 > FreeBSD doc repository >=20 > Modified files: > en send-pr.sgml=20 > en/cgi Makefile confirm-code.cgi=20 > Removed files: > en/cgi sendpr-code.cgi=20 > Log: > Refactor the "confirmation code" stuff into a general purpose script. > =20 > confirm-code.cgi contains a preconfigured list of databases and their > parameters. When a request comes in, the database in the request's 'db' > parameter is checked for validity, and a code is generated, stored in > the appropriate database and returned. > =20 > Use this new script in send-pr.sgml and remove sendpr-code.cgi which is > now superceded. [...] > | --- www/en/cgi/confirm-code.cgi 2005/11/11 08:58:06 1.5 > | +++ www/en/cgi/confirm-code.cgi 2005/12/04 16:18:40 1.6 [...] > | @@ -22,52 +25,81 @@ my @availchars =3D qw(A B C D E F G H J K=20 > | $pnmcat =3D "/usr/local/bin/pnmcat"; > | $pnmtopng =3D "/usr/local/bin/pnmtopng"; > | $pnmdatadir =3D "../gifs/"; > | -$dbpath =3D "/tmp/sendpr-code.db"; > | -$expiretime =3D 2700; # seconds until code expires > | +$expiretime =3D 0; # Default for the Expires: header > | ############################################ > | =20 > | +# The code databases that we know about. If a query comes in for > | +# anything else, we return a zero byte "image" (rather than an image > | +# with a rude word in, which was tempting). > | + > | +%db =3D ( > | +# The querypr one is not used, but stands as an example. > | +# querypr =3D> { > | +# path =3D> '/tmp/querypr-code.db', > | +# lifespan =3D> 2700, > | +# }, > | + sendpr =3D> { > | + path =3D> '/tmp/sendpr-code.db', > | + lifespan =3D> 2700, > | + }, > | +); Could we put the database somewhere else, IE. not in a world writeable directory, so we don't have obvious potential temporary file vulnerabilities? While the real problem is very small (since so few people have access to www) I would on principle greatly prefer to have the database somewhere else, e.g. under /usr/local/www/var/confirm-code ? I can create the directory and set apropriate permimssions for this to work. --=20 Simon L. Nielsen --lIrNkN/7tmsD/ALM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDkx9kh9pcDSc1mlERAj/dAJ9Gt/UDGV3vEfelHs/pbp4K5JJWegCdHvHU 4JaovD+HgDraFfFuJlFgU+8= =N4zC -----END PGP SIGNATURE----- --lIrNkN/7tmsD/ALM--