Date: Thu, 31 Oct 2002 22:14:24 +0000 From: Ceri Davies <setantae@submonkey.net> To: Giorgos Keramidas <keramida@freebsd.org> Cc: www@freebsd.org Subject: Re: problem with bug report website Message-ID: <20021031221424.GA14307@submonkey.net> In-Reply-To: <20021031201126.GD16613@gray.sea.gr> References: <Pine.BSF.4.21.0210310950580.5122-100000@mave.nlanr.net> <20021031201126.GD16613@gray.sea.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
--yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Oct 31, 2002 at 10:11:27PM +0200, Giorgos Keramidas wrote: > On 2002-10-31 09:52, Todd Hansen <tshansen@nlanr.net> wrote: > > http://www.freebsd.org/send-pr.html > > > > returns: Forbidden > > > > That link is on the front of the www.freebsd.org website. > > There was a recent flood of bogus PRs sent from the web interface, > that caused problems to the Ports Team. This has been disabled > (hopefully for a short while), until we find a better way to get PRs > through the web. I'm sorry for any inconvenience this has caused. I've knocked up the attached patch. It doesn't fix the problem really, but does log all of the relevant info provided by the webserver so that we can see if there are any trends. Note that most, if not all, of these fields can be spoofed by the client. I think a good fix would be to rate-limit access to the cgi scripts by IP in the httpd configuration; comments? Ceri -- you can't see when light's so strong you can't see when light is gone --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="dosendpr.cgi.diff" Index: dosendpr.cgi =================================================================== RCS file: /home/ncvs/www/en/cgi/dosendpr.cgi,v retrieving revision 1.9 diff -u -r1.9 dosendpr.cgi --- dosendpr.cgi 5 Oct 2002 12:17:19 -0000 1.9 +++ dosendpr.cgi 31 Oct 2002 22:09:28 -0000 @@ -19,6 +19,27 @@ my $blackhole_err = 0; my $openproxy; +# Environment variables to stuff in the PR header. +my @ENV_captures = qw/ REMOTE_HOST + REMOTE_ADDR + REMOTE_PORT + HTTP_REFERER + HTTP_CLIENT_IP + HTTP_FORWARDED + HTTP_VIA + HTTP_X_FORWARDED_FOR /; + +# env2hdr (@ENV_captures) +# Returns X-header style headers for inclusion in the header of a PR +sub env2hdr (@) { + my $headers = ""; + for my $var (shift @_) { + next unless $ENV{$var}; + $headers .= "X-$var: $ENV{$var}\n"; + } + return $headers; +} + # isopenproxy ($ip, $blackhole_zone, $positive_ip) # Returns undef on error, 0 if DNS lookup fails, $positive_ip if verified # proxy. A DNS lookup failing can either means that there was a network @@ -109,9 +130,9 @@ $pr = "To: $gnemail\n" . "From: $cgi_data{'originator'} <$cgi_data{'email'}>\n" . "Subject: $cgi_data{'synopsis'}\n" . - "X-Originating-IP: $ENV{'REMOTE_ADDR'}\n"; + env2hdr(@ENV_captures); if ($blackhole_err) { - $pr .= "X-Originating-IP-Is-Open-Proxy: Maybe\n"; + $pr .= "X-REMOTE_ADDR-Is-Open-Proxy: Maybe\n"; } $pr .= "X-Send-Pr-Version: www-1.0\n\n" . ">Submitter-Id:\t$cgi_data{'submitterid'}\n" . --yrj/dFKFPuw6o+aM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-www" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021031221424.GA14307>