Re: cvs commit: www/en send-pr.sgml www/en/cgi Makefile confirm-code.cgi sendpr-code.cgi

Sun, 04 Dec 2005 08:55:21 -0800 

On 2005.12.04 16:18:40 +0000, Ceri Davies wrote:
> ceri        2005-12-04 16:18:40 UTC
> 
>   FreeBSD doc repository
> 
>   Modified files:
>     en                   send-pr.sgml 
>     en/cgi               Makefile confirm-code.cgi 
>   Removed files:
>     en/cgi               sendpr-code.cgi 
>   Log:
>   Refactor the "confirmation code" stuff into a general purpose script.
>   
>   confirm-code.cgi contains a preconfigured list of databases and their
>   parameters.  When a request comes in, the database in the request's 'db'
>   parameter is checked for validity, and a code is generated, stored in
>   the appropriate database and returned.
>   
>   Use this new script in send-pr.sgml and remove sendpr-code.cgi which is
>   now superceded.
[...]
> | --- www/en/cgi/confirm-code.cgi     2005/11/11 08:58:06     1.5
> | +++ www/en/cgi/confirm-code.cgi     2005/12/04 16:18:40     1.6
[...]
> | @@ -22,52 +25,81 @@ my @availchars = qw(A B C D E F G H J K 
> |  $pnmcat = "/usr/local/bin/pnmcat";
> |  $pnmtopng = "/usr/local/bin/pnmtopng";
> |  $pnmdatadir = "../gifs/";
> | -$dbpath = "/tmp/sendpr-code.db";
> | -$expiretime = 2700;                # seconds until code expires
> | +$expiretime = 0;   # Default for the Expires: header
> |  ############################################
> |  
> | +# The code databases that we know about.  If a query comes in for
> | +# anything else, we return a zero byte "image" (rather than an image
> | +# with a rude word in, which was tempting).
> | +
> | +%db = (
> | +# The querypr one is not used, but stands as an example.
> | +#  querypr => {
> | +#          path => '/tmp/querypr-code.db',
> | +#          lifespan => 2700,
> | +#  },
> | +   sendpr => {
> | +           path => '/tmp/sendpr-code.db',
> | +           lifespan => 2700,
> | +   },
> | +);

Could we put the database somewhere else, IE. not in a world writeable
directory, so we don't have obvious potential temporary file
vulnerabilities?

While the real problem is very small (since so few people have access
to www) I would on principle greatly prefer to have the database
somewhere else, e.g. under /usr/local/www/var/confirm-code ?

I can create the directory and set apropriate permimssions for this to
work.

-- 
Simon L. Nielsen

Attachment: pgprh7Yikipmd.pgp
Description: PGP signature

Reply via email to