Date: Sun, 4 Dec 2005 17:55:00 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Ceri Davies <ceri@FreeBSD.org> Cc: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: www/en send-pr.sgml www/en/cgi Makefile confirm-code.cgi sendpr-code.cgi Message-ID: <20051204165500.GF846@zaphod.nitro.dk> In-Reply-To: <200512041618.jB4GIeBf037651@repoman.freebsd.org> References: <200512041618.jB4GIeBf037651@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 2005.12.04 16:18:40 +0000, Ceri Davies wrote:
> ceri 2005-12-04 16:18:40 UTC
>
> FreeBSD doc repository
>
> Modified files:
> en send-pr.sgml
> en/cgi Makefile confirm-code.cgi
> Removed files:
> en/cgi sendpr-code.cgi
> Log:
> Refactor the "confirmation code" stuff into a general purpose script.
>
> confirm-code.cgi contains a preconfigured list of databases and their
> parameters. When a request comes in, the database in the request's 'db'
> parameter is checked for validity, and a code is generated, stored in
> the appropriate database and returned.
>
> Use this new script in send-pr.sgml and remove sendpr-code.cgi which is
> now superceded.
[...]
> | --- www/en/cgi/confirm-code.cgi 2005/11/11 08:58:06 1.5
> | +++ www/en/cgi/confirm-code.cgi 2005/12/04 16:18:40 1.6
[...]
> | @@ -22,52 +25,81 @@ my @availchars = qw(A B C D E F G H J K
> | $pnmcat = "/usr/local/bin/pnmcat";
> | $pnmtopng = "/usr/local/bin/pnmtopng";
> | $pnmdatadir = "../gifs/";
> | -$dbpath = "/tmp/sendpr-code.db";
> | -$expiretime = 2700; # seconds until code expires
> | +$expiretime = 0; # Default for the Expires: header
> | ############################################
> |
> | +# The code databases that we know about. If a query comes in for
> | +# anything else, we return a zero byte "image" (rather than an image
> | +# with a rude word in, which was tempting).
> | +
> | +%db = (
> | +# The querypr one is not used, but stands as an example.
> | +# querypr => {
> | +# path => '/tmp/querypr-code.db',
> | +# lifespan => 2700,
> | +# },
> | + sendpr => {
> | + path => '/tmp/sendpr-code.db',
> | + lifespan => 2700,
> | + },
> | +);
Could we put the database somewhere else, IE. not in a world writeable
directory, so we don't have obvious potential temporary file
vulnerabilities?
While the real problem is very small (since so few people have access
to www) I would on principle greatly prefer to have the database
somewhere else, e.g. under /usr/local/www/var/confirm-code ?
I can create the directory and set apropriate permimssions for this to
work.
--
Simon L. Nielsen
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDkx9kh9pcDSc1mlERAj/dAJ9Gt/UDGV3vEfelHs/pbp4K5JJWegCdHvHU
4JaovD+HgDraFfFuJlFgU+8=
=N4zC
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051204165500.GF846>