Menu
▾
▴
nms-cgi-devel — Developers discussion for NMS CGI programs
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(90) |
Dec
(25) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(183) |
Feb
(124) |
Mar
(123) |
Apr
(75) |
May
(49) |
Jun
(60) |
Jul
(58) |
Aug
(41) |
Sep
(27) |
Oct
(30) |
Nov
(13) |
Dec
(19) |
| 2003 |
Jan
(119) |
Feb
(70) |
Mar
(5) |
Apr
(16) |
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(3) |
Nov
(4) |
Dec
(7) |
| 2004 |
Jan
(9) |
Feb
|
Mar
(1) |
Apr
(7) |
May
(12) |
Jun
(4) |
Jul
(11) |
Aug
(17) |
Sep
(3) |
Oct
(15) |
Nov
(7) |
Dec
(2) |
| 2005 |
Jan
(4) |
Feb
(7) |
Mar
(2) |
Apr
(2) |
May
|
Jun
(1) |
Jul
(3) |
Aug
(1) |
Sep
(9) |
Oct
(4) |
Nov
(1) |
Dec
|
| 2006 |
Jan
(5) |
Feb
(7) |
Mar
(19) |
Apr
(8) |
May
(6) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2007 |
Jan
(1) |
Feb
|
Mar
(4) |
Apr
(2) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2008 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2009 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2012 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-05 21:12:40
|
I have added an alternate set of PNG digits to Image Counter (well just run 'mogrify -format png *.gif' in the digits directory actually :) - I am of the opinion that we should remove the GIFs altogether at some point and have added a comment in the README that this is likely to happen sometime in the future. Does anyone have any opinions on this matter ? While we are on the subject are these images still the same ones from the MSA image counter ? If they are would it be possible for someone who has a hand with a graphics program to make a new bunch of 15x27 PNGs that we can distribute without upsetting anyone? Maybe it would be nice to have a small library of them on the web site ;-} /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-03-05 21:07:41
|
Having put our code where our mouth is with the FormMail.pl on the web site I would suggest that we also implement 'Simple Search' too - of course at the moment we don't have that many documents that it would make worth having a search on them but I figure that we could add the README files to the site (nicely HTMLized of course). So before I run 'txt2html.pl | tidy -icu -asxml' over the READMEs does anyone have any feelings about this ? Actually I'm thinking of doing a rewrite of txt2html that will output XHTML - the version that I have got here I downloaded in November '97 ... Alternatively we could convert the READMEs to POD or XML and deploy some intermediate program to create both the distributed README and the HTML version. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Gianluca S. <gi...@ch...> - 2002-03-04 15:46:22
|
Jonathan Stowe said: > I have applied the spirit of these changes and have updated the README. Glad to be of any help! > I have put the code in that guards the changes with > $emulate_matts_code. I want to put an example in the search.html and > there is a tiny change I would like to make to the code to stop someone > submitting 100000000 in document and extending the array by that much. Yes, that check is missing, maybe the easier thing is to select the '0' option if the entered optoin is greater than the last array index. I would do that myself, but I will be out all of this week, so I can't be of much help from here. > For myself I prefer mailling lists because I can read and reply to them > on the train, a good mail client helps make things easier to follow. OK, I can live with that for sure :) thanks for being so kind. Regards giallu |
|
From: Jonathan S. <gel...@ge...> - 2002-03-04 10:31:46
|
On Mon, 4 Mar 2002, Jonathan Stowe wrote: > > I have crossposted this to the developer list in case anyone has any ideas > about how we can switch this behaviour off in the configuration where > people really do want to look in all the sub-directories. > I have just committed a version that has a $no_prune configuration that just allows a full recursion if $emulate_matts_code is false - feel free to implement this in another way or take it out altogether as it is more by way of suggestion than anything else. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-03-04 10:02:59
|
On Sun, 3 Mar 2002, Amer Neely wrote:
> Jonathan Stowe wrote:
> >
> > On Sun, 3 Mar 2002, Amer Neely wrote:
> >
> > > I've grabbed the web search script (search.zip) and have it installed,
> > > but can't get it to drill down into subdirectories. It does a fine job
> > > finding search terms in the top level directory, but none below it. Is
> > > this a known 'feature' or did I miss something in the config?
> > >
> >
> > You will need to set $emulate_matts_code to 0 in the first instance.
> >
>
> OK, I've done that, and checked the permissions on the subdirectories
> and they are all drwxr-xr-x
>
> I double-checked a subdirectory file to ensure it contains a word I'm
> looking for, but it refuses to search anything but the top level
> directory defined in $basedir.
>
> If someone has this script working correctly, I sure would like to know
> how.
>
It's probably not clear enough in the README, but for each level of
directory you want to go down you need to specify that in the
configuration so for instance if you wanted to search in all of the
sub-directories and their sub-directories then you should have something
like:
my @files = ('*.html','*/*.html','*/*/*.html');
So for each level you want to search down you will need to add a new entry
with a further '*/'.
I have crossposted this to the developer list in case anyone has any ideas
about how we can switch this behaviour off in the configuration where
people really do want to look in all the sub-directories.
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-03 22:02:12
|
On Thu, 28 Feb 2002, Gianluca Sforna wrote:
> This a diff output against revision 1.22; please be aware that I removed
> config lines (of course they are different) from the output.
> I can supply the whole modified script, if it could be of any help, and/or
> explanations (not likely to be necessary since my changes are almost
> trivial) about its new features.
>
I have applied the spirit of these changes and have updated the README.
> I would even add a $emulate_matt_code switch but, as stated in the previous
> mail to the mailing list, I never used Matt's search so I should first study
> his work.
>
I have put the code in that guards the changes with $emulate_matts_code.
I want to put an example in the search.html and there is a tiny change I
would like to make to the code to stop someone submitting 100000000 in
document and extending the array by that much.
>
> Only a question: why using only this mailing list and not the sourceforge
> forum section?? i think it is friendlier to users and easier to follow.
>
For myself I prefer mailling lists because I can read and reply to them on
the train, a good mail client helps make things easier to follow.
> Regards
>
> Giallu
>
> ------DIFF--------
>
> 121a114
> > my @subdirs = ('','/manual','/vmanual');
> 194,196c178,181
> < my $case = param("case") ? param("case") : "Insensitive";
> < my $bool = param("boolean") ? param("boolean") : "OR";
> < my $terms = param("terms") ? param("terms") : "";
> ---
> > my $case = param("case") ? param("case") : "Insensitive";
> > my $bool = param("boolean") ? param("boolean") : "OR";
> > my $terms = param("terms") ? param("terms") : "";
> > my $seldir = param("directory") ? @subdirs[param("directory")] : "";
> 215c200
> < $startdir = $basedir;
> ---
> > $startdir = "$basedir$seldir";
> 256c241
> < return if ($File::Find::dir eq $blocked)
> ---
> > return if ($File::Find::dir =~ /$blocked/)
>
>
> ----END_DIFF------
>
>
> Jonathan Stowe said:
>
> >
> > This stuff looks like it will be useful but I would like to see the
> > patches so we can protect the naive user from any unsuspected changes,
> > we tend to guard behaviour that is dissimilar to the MSA script with an
> > $emulate_matts_code switch ... I am sure that Dave will set you up as
> > a developer on the project if you want to contribute some code ...
> >
>
>
> ---------------------------------------------
> Dr. Gianluca Sforna - Lab. for Chemometrics
> Dep. of Chemistry - University of Perugia
> via Elce di Sotto 10, 06123 Perugia - ITALY
> ---------------------------------------------
>
>
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 21:05:10
|
On Sat, 2 Mar 2002, Olivier Dragon wrote: > While you're at it, would you mind adding > > $CGI::DISABLE_UPLOADS=1 > $CGI::POST_MAX=1024*20 # 20k (enough?) max posts > D'oh! I had actually meant to do that but got distracted. Thinking about it should be calculated by the sum of values %max_len + some universal constant ... I'll have a look ... thanks. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 20:56:55
|
While you're at it, would you mind adding $CGI::DISABLE_UPLOADS=1 $CGI::POST_MAX=1024*20 # 20k (enough?) max posts ? Thanks! -Olivier On Sat, Mar 02, 2002 at 12:48:00PM -0800, Jonathan Stowe wrote: > > uid=68026(gellyfish) gid=100(users) groups=100(users),7054(xmlxslt),40625(nms-cgi) > wwwboard README,1.6,1.7 wwwboard.pl,1.18,1.19 > Sat Mar 2 12:48:00 PST 2002 > Update of /cvsroot/nms-cgi/wwwboard > In directory usw-pr-cvs1:/tmp/cvs-serv16887 > > Modified Files: > README wwwboard.pl > Log Message: > * Added $max_followups configuration to prevent message bomb attack > > > _______________________________________________ > Nms-cgi-commits mailing list > Nms...@li... > https://lists.sourceforge.net/lists/listinfo/nms-cgi-commits -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 20:46:44
|
On Sat, 2 Mar 2002, Olivier Dragon wrote:
> On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote:
> > On Sat, 2 Mar 2002, Olivier Dragon wrote:
> > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only
> > > had 10MB downloaded... I just gave up!
> > >
> > > What's wrong with it? Is is an NMS wwwboard or a MSA one?
> >
> > The page's like 200... MB!!! I've got cable and after 2min I only
> > had 10MB downloaded... I just gave up!
>
> Haha... funny. I mean technically, why is it so big and what's wrong
> with it...
>
OK, I've worked out what the exploit does - it operates entirely through
the followup parameter. You construct a request (possibly using something
like LWP) that has a followup parameter that has 1 ... <number in
data.txt> and then a very large number of <number in data.txt + 1>
repeated, all comma separated. Thus the threading mechanism will dumbly
rewrite the wwwboard.html so that it it becomes gigantic and will rewrite
a load of the individual messages as having these spurious followups.
The second part of this is already dealt with in the code by the
foreach my $fn (@followup_num) {
error('followup_data') if $fn !~ /^\d+$/ || $fcheck{$fn};
$fcheck{$fn}++;
}
@followup_num = keys %fcheck;
bit.
The first part however is a little bit more difficult because you would
have to read every message to check whether this was a pukka followup to
that, so what I have done is put in a $max_followups configuration
(guarded by $emulate_matts_code) that limits the number of messages a
followup can be a followup to be - this will still allow an attacker to
create *some* spurious followups but will mitigate the potential effect of
such an attempt. I have updated the README accordingly.
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 17:14:03
|
On Sat, 2 Mar 2002, Olivier Dragon wrote: > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > had 10MB downloaded... I just gave up! > > What's wrong with it? Is is an NMS wwwboard or a MSA one? It appears to be an MSA (or close relative of it), the main page is full of multiple entries for the same message and very deeply nested - on the followup ones it refers to itself as a followup, thus exploiting the threading mechanism to fill up the disk :) I guess it was a script that replied to eaach of real entries on the mainpage and then specified a 'followup' that did the rest. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Sam S. <sou...@ms...> - 2002-03-02 17:10:47
|
On Sat, 2 Mar 2002, Olivier Dragon wrote: > On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote: > > On Sat, 2 Mar 2002, Olivier Dragon wrote: > > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > > > had 10MB downloaded... I just gave up! > > > > > > What's wrong with it? Is is an NMS wwwboard or a MSA one? > > > > The page's like 200... MB!!! I've got cable and after 2min I only > > had 10MB downloaded... I just gave up! > > Haha... funny. I mean technically, why is it so big and what's wrong > with it... Lots of people have posted to the board, so there are lots of messages. A fair number of them seemed to be automatically generated gibberish. The problem is exactly the one you found -- it's a huge download. Sam -- "Thinking of using NT for your critical apps? Isn't there enough suffering in the world?" |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 17:03:54
|
On Sat, 2 Mar 2002, Jonathan Stowe wrote: > > I am going to commit some more changes in a minute (new_page was emitting > some utter crap that purported to be XHTML :) and then lay seige to the > threading problem, I have also noticed that every once in a while the > counter is being reset and can't find any reason for that either. > Both of these problems were obscure but silly errors I introduced in 1.11 - I will spare myself and refer you to cvs diff :) Dave, could you make a new release of wwwboard sometime soon ? /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 17:00:55
|
On Sat, Mar 02, 2002 at 05:04:31PM +0000, Sam Smith wrote: > On Sat, 2 Mar 2002, Olivier Dragon wrote: > > WTH??? The page's like 200... MB!!! I've got cable and after 2min I only > > had 10MB downloaded... I just gave up! > > > > What's wrong with it? Is is an NMS wwwboard or a MSA one? > > The page's like 200... MB!!! I've got cable and after 2min I only > had 10MB downloaded... I just gave up! Haha... funny. I mean technically, why is it so big and what's wrong with it... -Olivier -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 16:55:47
|
WTH??? The page's like 200... MB!!! I've got cable and after 2min I only had 10MB downloaded... I just gave up! What's wrong with it? Is is an NMS wwwboard or a MSA one? -Olivier On Sat, Mar 02, 2002 at 04:08:42PM +0000, Jonathan Stowe wrote: > If you have enough bandwidth you might want to take a look at : > > http://www.kidlink.org/KIDPROJ/Bridges/wwwboard/ > > to see another, er, feature of wwwboard that we should be addressing ;-} > > /J\ > -- > Jonathan Stowe | > <http://www.gellyfish.com> | This space for rent > | > > > _______________________________________________ > Nms-cgi-devel mailing list > Nms...@li... > https://lists.sourceforge.net/lists/listinfo/nms-cgi-devel -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 16:09:28
|
If you have enough bandwidth you might want to take a look at : http://www.kidlink.org/KIDPROJ/Bridges/wwwboard/ to see another, er, feature of wwwboard that we should be addressing ;-} /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 14:51:20
|
On Sat, 2 Mar 2002, Jonathan Stowe wrote:
>
> An error has occurred in the program
>
> Can't use an undefined value as a HASH reference at
> /var/www/nms-test/cgi-bin/wwwboard.pl line 804.
>
Fixed that:
uid=68026(gellyfish) gid=100(users)
groups=100(users),7054(xmlxslt),40625(nms-cgi)
wwwboard wwwboard.pl,1.14,1.15
Sat Mar 2 05:26:19 PST 2002
Update of /cvsroot/nms-cgi/wwwboard
In directory usw-pr-cvs1:/tmp/cvs-serv6581
Modified Files:
wwwboard.pl
Log Message:
* Fixed arguments to rest_of_form()
* (Followups in message still not working)
I am going to commit some more changes in a minute (new_page was emitting
some utter crap that purported to be XHTML :) and then lay seige to the
threading problem, I have also noticed that every once in a while the
counter is being reset and can't find any reason for that either.
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 13:16:01
|
On Sat, 2 Mar 2002, Jonathan Stowe wrote: > On Fri, 1 Mar 2002, Olivier Dragon wrote: > > > On Fri, Mar 01, 2002 at 09:31:03PM +0000, Jonathan Stowe wrote: > > > On Fri, 1 Mar 2002, Fred Steinberg wrote: > > > > > > > FYI, a potential convert. > > > > > > > > > > It's a bit unfortunate that our wwwboard is not quite right now :) > > > > What are you talking about? Unless there were major modifications made > > to it, it was working for me about a month ago. I even made a > > modification to it so that it supports multiple boards using the same > > script and it was working fine... > > > > Admittedly I haven't tested the very latest version but at this point: > > # Revision 1.12 2002/01/22 09:15:19 gellyfish > # * Fixed some typos > # * (Threading still not working) > > It was not working properly. > With the latest version it does: ERROR: No Name You forgot to fill in the 'Name' field in your posting. Correct it below and re-submit. The necessary fields are: Name, Subject and Message. Application Error An error has occurred in the program Can't use an undefined value as a HASH reference at /var/www/nms-test/cgi-bin/wwwboard.pl line 804. If you omit the Name. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-03-02 11:58:09
|
On Fri, 1 Mar 2002, Olivier Dragon wrote: > On Fri, Mar 01, 2002 at 09:31:03PM +0000, Jonathan Stowe wrote: > > On Fri, 1 Mar 2002, Fred Steinberg wrote: > > > > > FYI, a potential convert. > > > > > > > It's a bit unfortunate that our wwwboard is not quite right now :) > > What are you talking about? Unless there were major modifications made > to it, it was working for me about a month ago. I even made a > modification to it so that it supports multiple boards using the same > script and it was working fine... > Admittedly I haven't tested the very latest version but at this point: # Revision 1.12 2002/01/22 09:15:19 gellyfish # * Fixed some typos # * (Threading still not working) It was not working properly. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Olivier D. <dr...@sh...> - 2002-03-02 02:46:59
|
On Fri, Mar 01, 2002 at 09:31:03PM +0000, Jonathan Stowe wrote: > On Fri, 1 Mar 2002, Fred Steinberg wrote: > > > FYI, a potential convert. > > > > It's a bit unfortunate that our wwwboard is not quite right now :) What are you talking about? Unless there were major modifications made to it, it was working for me about a month ago. I even made a modification to it so that it supports multiple boards using the same script and it was working fine... -Olivier -- +----------------------------------------------+ | Olivier Dragon dr...@sh... | | Software Engineering II, McMaster University | +----------------------------------------------+ |
|
From: Jonathan S. <gel...@ge...> - 2002-03-01 21:31:22
|
On Fri, 1 Mar 2002, Fred Steinberg wrote: > FYI, a potential convert. > It's a bit unfortunate that our wwwboard is not quite right now :) /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Fred S. <fr...@p9...> - 2002-03-01 19:50:57
|
FYI, a potential convert. |
|
From: Jonathan S. <gel...@ge...> - 2002-02-28 21:27:05
|
On Thu, 28 Feb 2002, Andy Wardley wrote: > > Well, something like that. It'll be great, honest. > Yeah, we believe you Andy, we believe you :) /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Andy W. <ab...@kf...> - 2002-02-28 14:00:14
|
On Wed, Feb 27, 2002 at 09:26:46PM +0000, Jonathan Stowe wrote: > If you find a single file solution that we could start to bundle with NMS > then I would be pleased to see it .. > > I would also be interested in a single file pure perl XML parser. Sounds like AML might be what you're looking for, but I haven't finished writing it yet... It's a greatly simplified, stripped down version of an XML-like markup language. Retains the structural benefits of XML while giving you the flexibility of dynamic content generation. Like separate schemas, stylesheets and content, but you can roll them all into one. Small, simple, easy to parse, easy to extend, easy to transform, mungify, and so on. Well, something like that. It'll be great, honest. A |
|
From: Jonathan S. <gel...@ge...> - 2002-02-28 09:52:18
|
$ cvs log | grep lines | perl -e 'while (<>) {
/author:\s+(\S+?);.*lines:\s*(.*)/
; ($plus, $minus) = split / /, $2; $score{$1} += $plus; $score{$1} -=
$minus; }
foreach ( sort { $score{$b} <=> $score{$a}} keys %score ) { print "$_
$score{$_}\n"}'
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-02-28 09:38:36
|
On Thu, 28 Feb 2002, Joseph Ryan wrote: > "Randal L. Schwartz" <me...@st...> wrote: > > > >>>>> "Jonathan" == Jonathan Stowe <jn...@ge...> writes: > > > > Jonathan> I would also be interested in a single file pure perl XML > parser. > > > > XML::Parser::Lite fails for ... what reason? > > >From the nms home page: (http://nms-cgi.sourceforge.net) > > >They must not use any non-standard Perl modules. I know this is a bit > contentious, but I really think that the target audience will have problems > installing modules from CPAN. > > Therefore, we would need a Pure-Perl implementation if we were to include > it... > Randal is of course right ... The code in XML::Parser::Lite is small enough that it could be ripped out and used in any program that needed to parse XML, the regular expression at its core, however is that scary that I wouldn't want to put it anywhere near any children :) XML::Parser::Lite is distributed with SOAP::Lite - it is only 202 lines long including POD and comments. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
14 messages has been excluded from this view by a project administrator.
