From owner-freebsd-www Thu Oct 31 14:14:28 2002 Delivered-To: freebsd-www@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0980137B401; Thu, 31 Oct 2002 14:14:26 -0800 (PST) Received: from rhadamanth.submonkey.net (pc1-cdif2-4-cust210.cdf.cable.ntl.com [80.4.10.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3244743E75; Thu, 31 Oct 2002 14:14:25 -0800 (PST) (envelope-from setantae@submonkey.net) Received: from setantae by rhadamanth.submonkey.net with local (Exim 4.10) id 187Na4-0003ky-00; Thu, 31 Oct 2002 22:14:24 +0000 Date: Thu, 31 Oct 2002 22:14:24 +0000 From: Ceri Davies To: Giorgos Keramidas Cc: www@freebsd.org Subject: Re: problem with bug report website Message-ID: <20021031221424.GA14307@submonkey.net> Mail-Followup-To: Ceri Davies , Giorgos Keramidas , www@freebsd.org References: <20021031201126.GD16613@gray.sea.gr> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline In-Reply-To: <20021031201126.GD16613@gray.sea.gr> X-message-flag: All your linuxconf-configured redhat are belong to us. X-message-flag-attribution: suresh, sdm. User-Agent: Mutt/1.5.1i Sender: owner-freebsd-www@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Oct 31, 2002 at 10:11:27PM +0200, Giorgos Keramidas wrote: > On 2002-10-31 09:52, Todd Hansen wrote: > > http://www.freebsd.org/send-pr.html > > > > returns: Forbidden > > > > That link is on the front of the www.freebsd.org website. > > There was a recent flood of bogus PRs sent from the web interface, > that caused problems to the Ports Team. This has been disabled > (hopefully for a short while), until we find a better way to get PRs > through the web. I'm sorry for any inconvenience this has caused. I've knocked up the attached patch. It doesn't fix the problem really, but does log all of the relevant info provided by the webserver so that we can see if there are any trends. Note that most, if not all, of these fields can be spoofed by the client. I think a good fix would be to rate-limit access to the cgi scripts by IP in the httpd configuration; comments? Ceri -- you can't see when light's so strong you can't see when light is gone --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="dosendpr.cgi.diff" Index: dosendpr.cgi =================================================================== RCS file: /home/ncvs/www/en/cgi/dosendpr.cgi,v retrieving revision 1.9 diff -u -r1.9 dosendpr.cgi --- dosendpr.cgi 5 Oct 2002 12:17:19 -0000 1.9 +++ dosendpr.cgi 31 Oct 2002 22:09:28 -0000 @@ -19,6 +19,27 @@ my $blackhole_err = 0; my $openproxy; +# Environment variables to stuff in the PR header. +my @ENV_captures = qw/ REMOTE_HOST + REMOTE_ADDR + REMOTE_PORT + HTTP_REFERER + HTTP_CLIENT_IP + HTTP_FORWARDED + HTTP_VIA + HTTP_X_FORWARDED_FOR /; + +# env2hdr (@ENV_captures) +# Returns X-header style headers for inclusion in the header of a PR +sub env2hdr (@) { + my $headers = ""; + for my $var (shift @_) { + next unless $ENV{$var}; + $headers .= "X-$var: $ENV{$var}\n"; + } + return $headers; +} + # isopenproxy ($ip, $blackhole_zone, $positive_ip) # Returns undef on error, 0 if DNS lookup fails, $positive_ip if verified # proxy. A DNS lookup failing can either means that there was a network @@ -109,9 +130,9 @@ $pr = "To: $gnemail\n" . "From: $cgi_data{'originator'} <$cgi_data{'email'}>\n" . "Subject: $cgi_data{'synopsis'}\n" . - "X-Originating-IP: $ENV{'REMOTE_ADDR'}\n"; + env2hdr(@ENV_captures); if ($blackhole_err) { - $pr .= "X-Originating-IP-Is-Open-Proxy: Maybe\n"; + $pr .= "X-REMOTE_ADDR-Is-Open-Proxy: Maybe\n"; } $pr .= "X-Send-Pr-Version: www-1.0\n\n" . ">Submitter-Id:\t$cgi_data{'submitterid'}\n" . --yrj/dFKFPuw6o+aM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-www" in the body of the message