Date: Wed, 29 Aug 2007 08:08:24 +0200 From: =?windows-1250?Q?Ga=EBl_Vittu?= <gael.vittu-ext@cnamts.fr> To: Thiago Lacerda Zago <tzago@timbrasil.com.br> Cc: freebsd-cvsweb@FreeBSD.org Subject: Re: cvsweb authentication implementation Message-ID: <46D50D58.8020009@cnamts.fr> In-Reply-To: <1EA6EF878B09DC44892FD9C2BE4D68421A2654@SNEDCPMS01.internal.timbrasil.com.br> References: <1EA6EF878B09DC44892FD9C2BE4D68421A2654@SNEDCPMS01.internal.timbrasil.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello,
This message comes to you because Perl is lauched in 'tainted' mode (1st=20
line on cvsweb.cgi =3D> -T)
To use variables, you'll have to check it before using it.
In my version of CVSWeb, i've got to read configuration files so that=20
users can use their own profiles. Let say that '$myvar' is the name of=20
that profile. I have to add '.conf' to create the name of the fonc file:
Try this:
if ($myvar =3D~ /^([-\@\w.]+)$/) {
$myvar =3D "$myvar" . ".conf"; # $myvar is now clean (perl option -T)
}
If your interrested with my version so that your users can create their=20
own profiles, let me now.
Ga=C3=ABl
Thiago Lacerda Zago a =C3=A9crit :
> Hi,
>
> =20
>
> I=E2=80=99m implementing let me say sort of authentication in cvsweb so=
that only our permitted staff could use this tool through our intranet.
>
> =20
>
> I=E2=80=99m doing so reading php session that the starting page that=
calls cvsweb.cgi. and using PHP::Session to retrieve the user provided=
data. Then I=E2=80=99m propagating the session id through all cvsweb.cgi=
links through method get and cgi param().
>
> =20
>
> I almost done with this task but now I am facing a problem that I was not=
able to solve yet.
>
> =20
>
> When I click in the link that follows the icon to show the revisions=
graphically, the reference link is http://xxx/cgi-bin/=
/cvsweb.cgi/dcn_cor/router.db?graph=3D1;sid=3D5s4gj964cd4c2j88ljsxz3qopr
>
> Where sid=3D5s4gj964cd4c2j88ljsxz3qopr in this case is the php session id=
that I=E2=80=99m sending along the link http://xxx/cgi-bin/=
/cvsweb.cgi/dcn_cor/router.db?graph=3D1 so that the graph page could be=
authenticated and allowed to be displayed as well.
>
> =20
>
> The problem is that I keep getting this error message.
>
>
> :: Error ::
>
>
> Error: '/usr/bin/cvsgraph -r /usr/local/rancid/var/CVS -m=
dcn_cor/configs/ -i -M CvsGraphMap -x x -Omap_branch_href=3D"href=
=3D\"./?only_with_tag=3D%(%t%);sortby=3Ddate\"" -Omap_rev_href=3D"href=
=3D\"?rev=3D%(%R%);sortby=3Ddate\"" -Omap_diff_href=3D"href=
=3D\"%(0.000000%).diff?sid=3D5s4gj964cd4c2j88ljsxz3qopr;r1=3D%(%P%);r2=
=3D%(%R%);sortby=3Ddate\"" -c /etc/cvsgraph.conf router005,v' failed:=
Insecure dependency in exec while running with -T switch at=
/usr/lib/perl5/site_perl/5.8.0/IPC/Run.pm line 1272. at=
/xxx/www/cgi-bin/cvsweb.cgi line 4545=20
>
> =20
>
> The customized to accomplish this is sub doGraphView()
>
> =20
>
> The funny thing is that this error occurs only when I add a ?sid=3D$id to=
the array @graph_cmd as shown right below.
>
> =20
>
> my @graph_cmd =3D
>
> ($CMD{cvsgraph},
>
> '-r', $cvsroot,
>
> '-m', $pathname,
>
> '-i',
>
> '-M', $mapname,
>
> '-x', 'x',
>
> "-Omap_branch_href=3D\"href=3D\\\"./?only_with_tag=
=3D%(%t%)$notag_query\\\"\"",
>
> "-Omap_rev_href=3D\"href=3D\\\"?rev=3D%(%R%)$barequery\\\"\"",
>
> "-Omap_diff_href=3D\"href=3D\\\"%(%F%).diff" .
>
> "?sid=3D$id;r1=3D%(%P%);r2=3D%(%R%)$barequery\\\"\"" ,
>
> );
>
> =20
>
> If I do the same thing but this time manually writing the var ?sid=
=3D5s4gj964cd4c2j88ljsxz3qopr it just works fine and no error is issued at=
all.
>
> =20
>
> my @graph_cmd =3D
>
> ($CMD{cvsgraph},
>
> '-r', $cvsroot,
>
> '-m', $pathname,
>
> '-i',
>
> '-M', $mapname,
>
> '-x', 'x',
>
> "-Omap_branch_href=3D\"href=3D\\\"./?only_with_tag=
=3D%(%t%)$notag_query\\\"\"",
>
> "-Omap_rev_href=3D\"href=3D\\\"?rev=3D%(%R%)$barequery\\\"\"",
>
> "-Omap_diff_href=3D\"href=3D\\\"%(%F%).diff" .
>
> "?sid=3D5s4gj964cd4c2j88ljsxz3qopr;r1=3D%(%P%);r2=
=3D%(%R%)$barequery\\\"\"" ,
>
> );
>
> =20
>
> Any hint to how to solve this problem and/or a better solution to=
implementing a cvsweb authentication?
>
> =20
>
> Thanks in advance.
>
> =20
>
> Thiago Zago=20
>
> =20
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.=20
> Version: 7.5.484 / Virus Database: 269.12.10/976 - Release Date:=
27/8/2007 18:20
> =20
> _______________________________________________
> freebsd-cvsweb@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
> To unsubscribe, send any mail to "freebsd-cvsweb-unsubscribe@freebsd.org"
>
>
> =20
--=20
Ga=C3=ABl VITTU - DDSI/DIQ/DRI
04.76.69.43.91
*****************************************************
"Le contenu de ce courriel et ses eventuelles pi=C3=A8ces jointes sont
confidentiels. Ils s'adressent exclusivement =C3=A0 la personne=
destinataire.
Si cet envoi ne vous est pas destin=C3=A9, ou si vous l'avez re=C3=A7u par=
erreur,
et afin de ne pas violer le secret des correspondances, vous ne devez pas
le transmettre =C3=A0 d'autres personnes ni le reproduire. Merci de le=
renvoyer
=C3=A0 l'=C3=A9metteur et de le d=C3=A9truire.
Attention : L'Organisme de l'=C3=A9metteur du message ne pourra =C3=AAtre=
tenu responsable de l'alt=C3=A9ration
du pr=C3=A9sent courriel. Il appartient au destinataire de v=C3=A9rifier=
que les
messages et pi=C3=A8ces jointes re=C3=A7us ne contiennent pas de virus.
Les opinions contenues dans ce courriel et ses =C3=A9ventuelles pi=C3=A8ces
jointes sont celles de l'=C3=A9metteur. Elles ne refl=C3=A8tent pas la=
position de l'Organisme
sauf s'il en est dispos=C3=A9 autrement dans le pr=C3=A9sent courriel."
******************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D50D58.8020009>