Menu
▾
▴
Re: [Nms-cgi-devel] problems with nms-cgi formmail.pl
|
From: Jonathan S. <gel...@ge...> - 2001-11-16 21:36:06
|
On Sat, 17 Nov 2001, iain truskett wrote: > * Nick Cleaton (ni...@cl...) [16 Nov 2001 17:56]: > > > Here are the problems I can see in the current nms-cgi guestbook.pl > > script. > > > 1) Allows the upload of arbitrary HTML, $allow_html does nothing. > > True. > Fix straight away :) > > 2) Makes changes in response to a GET request. > > Is that really a problem? > Examine rfc2616 with reference to the term 'idempotent' ;-} I'll get the world famed HTTP pendant Alan Flavell in here to explain this if we have difficulty. I have a feeling that most of the scripts suffer from this problem unfortunately we do have to consider the compatibility with the legacy of the Existing Body Of Matts Scripts .... > > 3) Truncates and rewrites the file, so someone viewing the > > guestbook might see a short or empty guestbook during > > an update. > > True. Are you thinking a 'write to new file and mv it' thing? > I have a version of guestbook.pl that does this but is so vastly different from the version in CVS that I am holding off on it. > > Is anyone working on these ? > > > Shall I have a go ? > > Go for it? > Nick, how do you feel about sizing up the holes (and incompliancies) in all the scripts and documenting them - bearing in mind that we are going to have to support by default the existing behaviour (that is to say we can't lose the GET thing right now.) Once documented we can find willing slaves to implement the changes if necessary :) I would also like you to examine the 'spam pawn' potential in the FormMail.pl if you are up for the gig ... For the crowd - Nick is the one person who keeps me honest with respect to security matters at work I would trust him with my mothers servr ;-} /J\ |
