From owner-freebsd-cvsweb@FreeBSD.ORG Mon Jun 21 12:33:19 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A37316A4CE for ; Mon, 21 Jun 2004 12:33:19 +0000 (GMT) Received: from UKExt5.uk.exel.com (ukext5.exel.com [217.33.239.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id D560843D5F for ; Mon, 21 Jun 2004 12:33:18 +0000 (GMT) (envelope-from Josephine.Nolan@exel.com) To: freebsd-cvsweb@freebsd.org X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: Josephine Nolan Date: Mon, 21 Jun 2004 13:34:22 +0100 X-MIMETrack: Serialize by Router on UKExt5/Exel-External(Release 6.5.1IF1|March 16, 2004) at 2004-06-21 13:34:39 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Subject: Question on CVS X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 12:33:19 -0000 I was wondering if anyone can help me. I am looking to find out if it is possible to alter the main view in cvsweb to view the first log entry instead of the last log entry. We have cvsweb linked to a linux machine and I am looking to have another version of cvsweb.cgi - one with last log entry and one with first log entry. Is this possible and where in perl can this change be made? Bearing in mind I do not know perl at all!! Thanks for your help, Josephine Nolan Important Email Information The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. From owner-freebsd-cvsweb@FreeBSD.ORG Mon Jun 21 13:08:19 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3D5A16A4CE for ; Mon, 21 Jun 2004 13:08:19 +0000 (GMT) Received: from UKExt5.uk.exel.com (UKExt5.uk.exel.com [217.33.239.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A91B43D1F for ; Mon, 21 Jun 2004 13:08:18 +0000 (GMT) (envelope-from Josephine.Nolan@exel.com) To: freebsd-cvsweb@freebsd.org X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: Josephine Nolan Date: Mon, 21 Jun 2004 14:10:22 +0100 X-MIMETrack: Serialize by Router on UKExt5/Exel-External(Release 6.5.1IF1|March 16, 2004) at 2004-06-21 14:09:39 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Subject: Change view of CVSWEB using perl to display initial log entryinstead of last log entry X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 13:08:19 -0000 I was wondering if anyone can help me. I am looking to find out if it is possible to alter the main view in cvsweb to view the first log entry instead of the last log entry. We have cvsweb linked to a linux machine and I am looking to have another version of cvsweb.cgi - one with last log entry and one with first log entry. Is this possible and where in perl can this change be made? Bearing in mind I do not know perl at all!! Thanks for your help, Josephine Nolan Already logged but with insufficient detail in subject Important Email Information The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. From owner-freebsd-cvsweb@FreeBSD.ORG Wed Jun 23 13:13:24 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3F4416A4CE for ; Wed, 23 Jun 2004 13:13:23 +0000 (GMT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CC9443D45 for ; Wed, 23 Jun 2004 13:13:23 +0000 (GMT) (envelope-from job2@ijonn.com) Received: from f (ppp-66-140-226-136.dialup.snantx.swbell.net [66.140.226.136])i5NDD7Pa262576 for ; Wed, 23 Jun 2004 09:13:11 -0400 Message-Id: <200406231313.i5NDD7Pa262576@pimout3-ext.prodigy.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: Human Resources To: freebsd-cvsweb@freebsd.org Date: Wed, 23 Jun 2004 08:13:38 -0700 Subject: New Job Openings X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2004 13:13:24 -0000 We have new job openings in the Tucson area and are writing to ask for your permission to send you the job leads. If you would like to grant us your permission, please click on the following link, or copy/paste the link into your web browser to complete the authorization form. http://srv1.ijonn.com/rc.html?ST=AZ--Tucson&e=freebsd-cvsweb%40freebsd.org&CI=6581006 Sincerely, E-online Career Info Services 1645 Pat Booker Rd #103, PMB 105, Universal City TX 78148 ----- Notes: You are receiving this invitation because you were in response to our employment ads posted in a newspaper or on the Internet, or your were referred this item by a friend. If you are no longer available, please kindly ignore this email, or reply to this email with Subject: NotAvailable, or click above link and select the option: No, I am not available. Please DO NOT contact me anymore. From owner-freebsd-cvsweb@FreeBSD.ORG Wed Jun 23 18:10:27 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93B0216A4D2 for ; Wed, 23 Jun 2004 18:10:27 +0000 (GMT) Received: from mail.musha.org (daemon.musha.org [210.189.104.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D23043D2F for ; Wed, 23 Jun 2004 18:10:27 +0000 (GMT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id F208CC637 for ; Thu, 24 Jun 2004 03:10:19 +0900 (JST) Date: Thu, 24 Jun 2004 03:10:19 +0900 Message-ID: <86eko6gn78.knu@iDaemons.org> From: "Akinori MUSHA" To: freebsd-cvsweb@freebsd.org Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by EMIKO 1.14.1 - "Choanoflagellata") Content-Type: text/plain; charset=US-ASCII Subject: limiting the query string length X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2004 18:10:27 -0000 Hi, What about limiting the query string length to prevent potential exploit attacks against cvs? Index: cvsweb.cgi =================================================================== RCS file: /mirror/freebsd/ncvs/root/projects/projects/cvsweb/cvsweb.cgi,v retrieving revision 1.259 diff -u -r1.259 cvsweb.cgi --- cvsweb.cgi 8 May 2004 14:13:40 -0000 1.259 +++ cvsweb.cgi 23 Jun 2004 17:28:15 -0000 @@ -384,7 +384,9 @@ my %query = (); if (defined($ENV{QUERY_STRING})) { - for my $p (split(/[;&]+/, $ENV{QUERY_STRING})) { + my $qs = $ENV{QUERY_STRING}; + length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.'); + for my $p (split(/[;&]+/, $qs)) { next unless $p; $p =~ y/+/ /; my ($key, $val) = split(/=/, $p, 2); Regards, -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "It seems to me as we make our own few circles 'round the sun We get it backwards and our seven years go by like one" From owner-freebsd-cvsweb@FreeBSD.ORG Thu Jun 24 19:54:40 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18F7116A4D4 for ; Thu, 24 Jun 2004 19:54:40 +0000 (GMT) Received: from smtp3.pp.htv.fi (smtp3.pp.htv.fi [213.243.153.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BED2243D3F for ; Thu, 24 Jun 2004 19:54:39 +0000 (GMT) (envelope-from scop@FreeBSD.org) Received: from [62.78.130.181] (cs78130181.pp.htv.fi [62.78.130.181]) by smtp3.pp.htv.fi (Postfix) with ESMTP id D8D7F27AD45 for ; Thu, 24 Jun 2004 22:54:18 +0300 (EEST) From: Ville =?ISO-8859-1?Q?Skytt=E4?= To: freebsd-cvsweb@freebsd.org In-Reply-To: <86eko6gn78.knu@iDaemons.org> References: <86eko6gn78.knu@iDaemons.org> Content-Type: text/plain Organization: FreeBSD Message-Id: <1088106858.27589.1455.camel@bobcat.mine.nu> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Thu, 24 Jun 2004 22:54:18 +0300 Content-Transfer-Encoding: 7bit Subject: Re: limiting the query string length X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 19:54:40 -0000 On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote: > What about limiting the query string length to prevent potential > exploit attacks against cvs? Why not, it's just a couple of lines, but... > + length($qs) >= 1024 and fatal('500 Internal Error', 'Malformed request.'); ... I think at least the message should be improved to tell exactly what is wrong with the request. Other points worth noting: - Maybe it's not only the query string (don't remember now, haven't checked), long paths may get passed to cvs(1) too, right? - The request URI length can be limited on web server level as well, for example for Apache (1.3.2+) see the LimitRequestLine directive. From owner-freebsd-cvsweb@FreeBSD.ORG Fri Jun 25 02:51:44 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B4C016A4CE for ; Fri, 25 Jun 2004 02:51:44 +0000 (GMT) Received: from services.state.mo.us (services.state.mo.us [168.166.2.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36A3143D46 for ; Fri, 25 Jun 2004 02:51:44 +0000 (GMT) (envelope-from helpdesk@services.state.mo.us) Received: from services.state.mo.us (localhost [127.0.0.1]) i5P2phZx008658 for ; Thu, 24 Jun 2004 21:51:43 -0500 (CDT) Received: (from helpdesk@localhost) by services.state.mo.us (8.12.10/8.12.10/Submit) id i5P2ph83008655; Thu, 24 Jun 2004 21:51:43 -0500 (CDT) Date: Thu, 24 Jun 2004 21:51:43 -0500 (CDT) From: OA State Data Center Helpdesk Message-Id: <200406250251.i5P2ph83008655@services.state.mo.us> To: freebsd-cvsweb@freebsd.org References: <20040625025109.AC36E7D5FD@cranny.more.net> In-Reply-To: <20040625025109.AC36E7D5FD@cranny.more.net> Precedence: junk X-Loop: helpdesk@mail.state.mo.us Subject: Re: Failed (helpdesk@mail.state.mo.us) X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2004 02:51:44 -0000 Your request has been received and will be forwarded to the section responsible in the most expeditious manner. If you have any additional questions please call the helpdesk at (573) 751-2201. Thank you. From owner-freebsd-cvsweb@FreeBSD.ORG Fri Jun 25 14:33:49 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7694516A4CE for ; Fri, 25 Jun 2004 14:33:49 +0000 (GMT) Received: from mail.musha.org (daemon.musha.org [210.189.104.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EA9143D2F for ; Fri, 25 Jun 2004 14:33:49 +0000 (GMT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id A48BFC637 for ; Fri, 25 Jun 2004 23:33:41 +0900 (JST) Date: Fri, 25 Jun 2004 23:33:41 +0900 Message-ID: <86659fzoze.knu@iDaemons.org> From: "Akinori MUSHA" To: freebsd-cvsweb@freebsd.org In-Reply-To: <1088106858.27589.1455.camel@bobcat.mine.nu> References: <86eko6gn78.knu@iDaemons.org> <1088106858.27589.1455.camel@bobcat.mine.nu> Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by EMIKO 1.14.1 - "Choanoflagellata") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: limiting the query string length X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2004 14:33:49 -0000 Hi, At Thu, 24 Jun 2004 22:54:18 +0300, Ville Skytt=E4 wrote: > On Wed, 2004-06-23 at 21:10, Akinori MUSHA wrote: >=20 > > What about limiting the query string length to prevent potential > > exploit attacks against cvs? >=20 > Why not, it's just a couple of lines, but... >=20 > > + length($qs) >=3D 1024 and fatal('500 Internal Error', 'Malformed req= uest.'); >=20 > ... I think at least the message should be improved to tell exactly what > is wrong with the request. In fact I thought the opposite (like "Don't give a hint to an attacker as to what was wrong with the try"), however, a more helpful message might not hurt in this case. > Other points worth noting: > - Maybe it's not only the query string (don't remember now, haven't=20 > checked), long paths may get passed to cvs(1) too, right? Yeah, right. It should be checked, too. > - The request URI length can be limited on web server level as well, for > example for Apache (1.3.2+) see the LimitRequestLine directive. True, but it all depends on the web server and it would be nicer if CVSweb is made robust itself with any unconfigured (or only lightly tuned) web server. Regards, --=20 / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "It seems to me as we make our own few circles 'round the sun We get it backwards and our seven years go by like one"