On Tue, Mar 23, 2004 at 12:39:29PM +0100, Björn Stenberg wrote:
> http://cgi.debian.org/cgi-bin/redirect.pl is being abused to create links to
> non-debian material that to uninformed users look as links to debian.org
> content.
>
> An example:
> http://slashdot.org/comments.pl?sid=101404&cid=8643344
>
> I suggest the script be limited in what it allows redirection to.
>
> (Please CC me on replies. I am not subscribed to the list.)
Hmm, I think we could tighten the requirements on the request because
only one of the possible redirects methods is actually used in
redirect.pl:
--- /org/cgi.debian.org/cgi-bin/redirect.pl Mon Oct 28 04:21:09 2002
+++ redirect.pl Tue Mar 23 06:47:45 2004
@@ -24,13 +24,13 @@
# print $input->header('text/html'); -- not allowed according to CGI(3pm)
$site = $input->param('site');
- if ($input->param('page')) {
- if ($site =~ /^\w\w$/) {
- print
$input->redirect("http://www.".$site.".debian.org".$input->param('page'))
- } else {
- print $input->redirect($site.$input->param('page'))
- }
+ if ($input->param('page') && ($site =~ /^\w\w$/)) {
+ print
$input->redirect("http://www.".$site.".debian.org".$input->param('page'));
} else {
- print $input->redirect($site);
+ print $input->header( -status => 400 );
+ print $input->start_html("Malformed parameters");
+ print $input->h1("Malformed parameters");
+ print $input->p("Sorry, couldn't redirect because one or more parameters
were missing and/or malformed");
+ print $input->end_html;
}
}
Gruesse,
--
Frank Lichtenheld <[EMAIL PROTECTED]>
www: http://www.djpig.de/
