Menu
▾
▴
nms-cgi-devel
|
From: Nick C. <ni...@cl...> - 2002-04-08 21:27:12
|
On Mon, Apr 08, 2002 at 02:23:22PM -0700, Nick Cleaton wrote: > > > Modified Files: > README > Log Message: > * updated README for the addition of EXMAPLES > We have a few improvements since the last release now - release please Dave. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-04-11 23:00:59
|
On Thu, Apr 11, 2002 at 03:39:21PM -0700, Nick Cleaton wrote:
>
> Modified Files:
> guestbook.pl
> Log Message:
> * preserve </body> and </html> in guestlog.html and add them if missing
To do that, I've made it rewrite the file in the same way as
the guestbook itself. Rather than duplicate all the code
for that, I've put the file rewrite code in a sub that takes
the name of the file to rewrite and a coderef with which to
munge each line.
In both cases where I've used this sub, the coderef has
turned out to be a closure. This may be too complicated.
OTOH the calls to rewrite_file look (and act wrt lexicals)
like some sort of user defined control structure, i.e.:
my $thing;
rewrite_file($filename, sub
{
# code to munge $_. $thing is used, so this sub
# is a closure.
});
is a bit like:
my $thing;
while(<FILE>)
{
# code to munge $_. $thing is used, but nobody
# gets scared.
}
... so maybe it's intuitive enough.
What do we think ?
--
Nick
|
|
From: Nicholas C. <ni...@un...> - 2002-04-13 00:16:44
|
On Thu, Apr 11, 2002 at 10:59:50PM +0100, Nick Cleaton wrote:
> In both cases where I've used this sub, the coderef has
> turned out to be a closure. This may be too complicated.
>
> OTOH the calls to rewrite_file look (and act wrt lexicals)
> like some sort of user defined control structure, i.e.:
>
> my $thing;
>
> rewrite_file($filename, sub
> {
> # code to munge $_. $thing is used, so this sub
> # is a closure.
> });
> What do we think ?
It's not a stated goal of nms to make the scripts easily mod-perl-able, is it?
Because IIRC the my $thing; and closure breaks running the script under
Apache::Registry (if I remember that name correctly), because of the way
it wraps your script inside another subroutine.
Nicholas Clark
--
Even better than the real thing: http://nms-cgi.sourceforge.net/
|
|
From: Nick C. <ni...@cl...> - 2002-04-13 09:14:32
|
On Sat, Apr 13, 2002 at 12:09:43AM +0100, Nicholas Clark wrote:
> >
> > my $thing;
> >
> > rewrite_file($filename, sub
> > {
> > # code to munge $_. $thing is used, so this sub
> > # is a closure.
> > });
>
> > What do we think ?
>
> It's not a stated goal of nms to make the scripts easily mod-perl-able, is it?
Not specifically, but IMO they should be mod_perl friendly
unless it causes huge problems.
> Because IIRC the my $thing; and closure breaks running the script under
> Apache::Registry (if I remember that name correctly), because of the way
> it wraps your script inside another subroutine.
I've just replaced a lot of file scoped lexicals with globals
in guestbook.pl, and it now runs without warnings under
Apache::Registry.
One of the two calls to rewrite_file is still using a closure
over a sub scoped lexical:
sub log_write {
my $found_close_body = 0;
rewrite_file($guestlog, sub
{
...
$found_close_body = 1;
...
});
}
... and it's doing the right thing under Apache::Registry as
far as I can see.
--
Nick
|
|
From: Nick C. <ni...@cl...> - 2002-04-30 12:11:31
|
On Tue, Apr 30, 2002 at 01:02:18AM -0700, Nick Cleaton wrote: > > > Log Message: > Initail import of TFmail.pl. Highly alpha. > This is an alternative formmail, using a configuration file on the server rather then hidden form fields, and using a basic templating system for output. It also does file uploads as securely as possible (off by default, whitelist of file extensions, attacker doesn't control filename, c/t always application/octet-stream). There's an extra step to releasing this: Copy MIME/Lite.pm from where-ever you have it installed to MIME_Lite.pm in the tfmail directory, before making the .tar.gz and .zip files. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-05-08 08:05:54
|
On Wed, May 08, 2002 at 01:01:03AM -0700, Nick Cleaton wrote:
>
> Modified Files:
> search.pl
> Log Message:
> * fixed some XSS holes
I've used a tied hash for this, so that expressions can be
escaped into here documents with $E{$foo} rather than the
less elegant ${\( escape_html($foo) )}.
But that might be too complicated for out intended audience.
--
Nick
|
|
From: Dave C. <da...@da...> - 2002-05-08 08:27:21
|
On Wed, May 08, 2002 at 08:04:22AM +0100, Nick Cleaton (ni...@cl...) wrote:
> On Wed, May 08, 2002 at 01:01:03AM -0700, Nick Cleaton wrote:
> >
> > Modified Files:
> > search.pl
> > Log Message:
> > * fixed some XSS holes
>
> I've used a tied hash for this, so that expressions can be
> escaped into here documents with $E{$foo} rather than the
> less elegant ${\( escape_html($foo) )}.
>
> But that might be too complicated for out intended audience.
No, that's fine by me. Doesn't need to be simple - as long as it's correct.
I've released a new version of simple (and also formmail which seemed to
have some outstanding updates).
Dave...
--
Don't dream it... be it
|
|
From: Nick C. <ni...@cl...> - 2002-05-30 19:49:52
|
On Thu, May 30, 2002 at 12:45:30PM -0700, Nick Cleaton wrote: > > Modified Files: > MANIFEST README TFmail.pl > Added Files: > NMStreqUTF8.pm > Log Message: > * added utf-8 support This could do with testing, especially by people who use languages that are badly served by iso-8859-1. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-06-09 08:47:16
|
On Sun, Jun 09, 2002 at 01:43:40AM -0700, Nick Cleaton wrote: > > uid=68644(nickjc) gid=100(users) groups=100(users),40625(nms-cgi) > tfmail TFmail.pl,1.11,1.12 > Sun Jun 9 01:43:40 PDT 2002 > Update of /cvsroot/nms-cgi/tfmail > In directory usw-pr-cvs1:/tmp/cvs-serv10440 > > Modified Files: > TFmail.pl > Log Message: > * fixed file uploads, which were broken Release please Dave. -- Nick |
|
From: Jonathan S. <gel...@ge...> - 2002-06-09 09:55:08
|
On Sun, 9 Jun 2002, Nick Cleaton wrote: > > Release please Dave. > It occurs to me that, unless Dave wants to keep control of what is released to the website, if the files in /home/groups/n/nm/nms-cgi/htdocs are given group write permissions then we won't need to trouble Dave every time we need to make a new release to the website, of course Dave will still need to make the releases to the project page. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Dave C. <da...@da...> - 2002-06-09 10:44:28
|
On Sun, Jun 09, 2002 at 10:53:59AM +0100, Jonathan Stowe (gel...@ge...) wrote: > On Sun, 9 Jun 2002, Nick Cleaton wrote: > > > > Release please Dave. > > It occurs to me that, unless Dave wants to keep control of what is > released to the website, if the files in /home/groups/n/nm/nms-cgi/htdocs > are given group write permissions then we won't need to trouble Dave every > time we need to make a new release to the website, Yeah. I was just thinking the same thing myself. And I I accept this job offer then I'll have even less time to do releases. I'll sort something out this week. > of course Dave will > still need to make the releases to the project page. We can almost certainly do something about this too. Dave... -- "Don't you boys know any _nice_ songs?" |
|
From: Dave C. <da...@da...> - 2002-06-09 11:42:29
|
On Sun, Jun 09, 2002 at 09:45:16AM +0100, Nick Cleaton (ni...@cl...) wrote: > On Sun, Jun 09, 2002 at 01:43:40AM -0700, Nick Cleaton wrote: > > > > uid=68644(nickjc) gid=100(users) groups=100(users),40625(nms-cgi) > > tfmail TFmail.pl,1.11,1.12 > > Sun Jun 9 01:43:40 PDT 2002 > > Update of /cvsroot/nms-cgi/tfmail > > In directory usw-pr-cvs1:/tmp/cvs-serv10440 > > > > Modified Files: > > TFmail.pl > > Log Message: > > * fixed file uploads, which were broken > > Release please Dave. Done. Along with ffa and nms_sendmail. Dave... -- Don't dream it... be it |
|
From: Jonathan S. <gel...@ge...> - 2002-06-18 21:57:06
|
On Tue, 18 Jun 2002, Jonathan Stowe wrote: > > uid=68026(gellyfish) gid=100(users) > groups=100(users),7054(xmlxslt),13067(per$> search search.pl,1.31,1.32 > Tue Jun 18 13:26:41 PDT 2002 > Update of /cvsroot/nms-cgi/search > In directory usw-pr-cvs1:/tmp/cvs-serv13471 > > Modified Files: > search.pl > Log Message: > Don't encode entities if they are already part of an entity > Could someone with some spare time check this out as safe to use everywhere ? It works on the person who reports the bug e-mail message :) It is probably not right to use in some of the places in wwwboard where we convert both ways :) /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Nick C. <ni...@cl...> - 2002-06-18 22:43:22
|
On Tue, Jun 18, 2002 at 10:56:09PM +0100, Jonathan Stowe wrote:
>
> Could someone with some spare time check this out as safe to use
> everywhere ? It works on the person who reports the bug e-mail message :)
>
> It is probably not right to use in some of the places in wwwboard where we
> convert both ways :)
> $string =~ s%(?:(&)(?!#?[\w\d]+;)|([^\w \t\r\n.,;&:/-]))% $eschtml_map{$1 || $2} %ge;
Hmmm, a hard sum. My eyes hurt.
s% (?: (&) (?!#?[\w\d]+;)
|
([^\w \t\r\n.,;&:/-])
)
%
$eschtml_map{$1 || $2}
%ge;
That's better.
The outer (?: ) is redundant.
we can move ()s outward to get rid of the {$1 || $2} thing.
[\w\d] is \w
Need to add '#' to the safe list, or 6 will become &#54;
... so (unless I messed up) it could come down to:
$string =~ s%(&(?!#?\w+;)|[^\w \t\r\n.,;&#:/-])% $eschtml_map{$1} %ge;
or even:
$string =~ s% ( & (?!\#?\w+;)
| [^\w\ \t\r\n.,;&\#:/-]
)
%
$eschtml_map{$1}
%gex;
if that's clearer.
--
Nick
|
|
From: Jonathan S. <gel...@ge...> - 2002-06-19 08:09:45
|
On Tue, 18 Jun 2002, Nick Cleaton wrote:
> On Tue, Jun 18, 2002 at 10:56:09PM +0100, Jonathan Stowe wrote:
> >
> > Could someone with some spare time check this out as safe to use
> > everywhere ? It works on the person who reports the bug e-mail message :)
> >
> > It is probably not right to use in some of the places in wwwboard where we
> > convert both ways :)
>
> > $string =~ s%(?:(&)(?!#?[\w\d]+;)|([^\w \t\r\n.,;&:/-]))% $eschtml_map{$1 || $2} %ge;
>
> Hmmm, a hard sum. My eyes hurt.
>
How do you think mine felt, this was after the third can of Bishops Finger
:)
>
>
> The outer (?: ) is redundant.
>
> we can move ()s outward to get rid of the {$1 || $2} thing.
>
> [\w\d] is \w
>
> Need to add '#' to the safe list, or 6 will become &#54;
>
>
> ... so (unless I messed up) it could come down to:
>
> $string =~ s%(&(?!#?\w+;)|[^\w \t\r\n.,;&#:/-])% $eschtml_map{$1} %ge;
>
>
> or even:
>
> $string =~ s% ( & (?!\#?\w+;)
> | [^\w\ \t\r\n.,;&\#:/-]
> )
> %
> $eschtml_map{$1}
> %gex;
>
> if that's clearer.
>
Yeah thats better. But I really wish someone would explain to me why the
first '#' needs to be escaped in the way you have and not in my original -
there is hint of bug in this - why does it cause the first '(' to be
unmatched ?
Ho-Hum
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Nick C. <ni...@cl...> - 2002-06-19 09:11:37
|
On Wed, Jun 19, 2002 at 07:23:45AM +0100, Jonathan Stowe wrote:
>
> Yeah thats better. But I really wish someone would explain to me why the
> first '#' needs to be escaped in the way you have and not in my original -
> there is hint of bug in this - why does it cause the first '(' to be
> unmatched ?
Because '#' is comment to end of line with /x unless you backslash
it, so the matching ')' gets turned into comment.
I think.
--
Nick
|
|
From: Jonathan S. <gel...@ge...> - 2002-06-19 09:20:05
|
On Wed, 19 Jun 2002, Nick Cleaton wrote:
> On Wed, Jun 19, 2002 at 07:23:45AM +0100, Jonathan Stowe wrote:
> >
> > Yeah thats better. But I really wish someone would explain to me why the
> > first '#' needs to be escaped in the way you have and not in my original -
> > there is hint of bug in this - why does it cause the first '(' to be
> > unmatched ?
>
> Because '#' is comment to end of line with /x unless you backslash
> it, so the matching ')' gets turned into comment.
>
> I think.
>
Yeah, that'll be it ... Trying to understand things at 7:30 in the morning
is not my strong suit :)
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|
|
From: Jonathan S. <gel...@ge...> - 2002-07-14 09:39:05
|
On Sun, 14 Jul 2002, Jonathan Stowe wrote: > > uid=68026(gellyfish) gid=100(users) groups=100(users),7054(xmlxslt) > docs isp_mail_1.txt,NONE,1.1 isp_mail_2.txt,NONE,1.1 > Sun Jul 14 02:22:17 PDT 2002 > Update of /cvsroot/nms-cgi/docs > In directory usw-pr-cvs1:/tmp/cvs-serv14470 > > Added Files: > isp_mail_1.txt isp_mail_2.txt > Log Message: > Checked in the letters for ISPs > I have checked these in for anyone who might want to e-mail an ISP - please feel free to alter ... isp_mail_1.txt is a letter where an ISP is still actively advocating the use of an insecure form mail program and the other is where they may have made their own hack on it or done something like deleting all the FormMail.pl from the server. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Jonathan S. <gel...@ge...> - 2002-07-20 09:48:36
|
On Sat, 20 Jul 2002, Jonathan Stowe wrote: > > uid=68026(gellyfish) gid=100(users) groups=100(users),7054(xmlxslt),13067(perl-foundry),40625(nms-cgi) > pub support.html,1.6,1.7 > Sat Jul 20 01:56:39 PDT 2002 > Update of /cvsroot/nms-cgi/pub > In directory usw-pr-cvs1:/tmp/cvs-serv20066/pub > > Modified Files: > support.html > I have put some suggested text in here which might forestall some of the support requests for other peoples installed formmails we have been getting recently. Dave, if you want to cast an editorial eye over it and then chuck it up if you think it is worth it. /J\ -- Jonathan Stowe | <http://www.gellyfish.com> | This space for rent | |
|
From: Nick C. <ni...@cl...> - 2002-08-24 08:43:20
|
On Sat, Aug 24, 2002 at 01:26:25AM -0700, Nick Cleaton wrote: > > Modified Files: > README wwwboard.pl > Log Message: > * inlined CGI::NMS::Charset into wwwboard.pl, and started on patching > the XSS holes in wwwboard. I've inlined CGI::NMS::Charset by hand for now. I'll whack up a script to update the inlined copy of the module from the master sources later. XSS isn't yet fully patched, this is still alpha. I've also disabled $allow_html until such time as it's implemented in an XSS-free way. I thought I'd use wwwboard as a testbed for the inlining of modules, since it's the most broken script. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-08-26 09:00:09
|
On Mon, Aug 26, 2002 at 01:54:12AM -0700, Nick Cleaton wrote: > > Modified Files: > wwwboard.pl > Log Message: > * file locking review I was unable to convince myself that the existing locking scheme was safe, so I've pulled it all out and replaced it with a single coarse lock around all the code that makes changes. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-08-28 22:24:51
|
On Wed, Aug 28, 2002 at 03:02:16PM -0700, Nick Cleaton wrote: > > > Modified Files: > release.pl > Added Files: > inline_modules.pl > Log Message: > * added script to inline modules into standalone scripts pub/inline_modules.pl needs to be run after making a change to modules/NMS/Charset/Charset.pm - see pod in the script for details. -- Nick |
|
From: Nick C. <ni...@cl...> - 2002-11-21 09:08:30
|
On Wed, Nov 20, 2002 at 10:39:42PM -0800, Nick Cleaton wrote: > > uid=68644(nickjc) gid=100(users) groups=100(users),40625(nms-cgi) > formmail EXAMPLES,2.1,2.2 FormMail.pl,2.19,2.20 README,2.6,2.7 > Wed Nov 20 22:39:42 PST 2002 > Update of /cvsroot/nms-cgi/formmail > In directory sc8-pr-cvs1:/tmp/cvs-serv27318 > > Modified Files: > EXAMPLES FormMail.pl README This is quite a big change, so I haven't released yet. > * added $postmaster config variable to allow envelope sender to be set This assumes that $mailprog accepts "-f $sender" on the command line, but users with mailprogs that don't can just leave $postmaster blank and set the sender directly in $mailprog, so that's OK. > * added support for mailing via SMTP The external nms_sendmail script is fine when it's working, but impossible to debug on a Win32 shared web server, since the error message always seems to get lost somewhere when it dies. Direct SMTP from within FormMail.pl doesn't have this problem, so now we'll get a meaningful error message if the SMTP conversation fails. And it's easier to set up than nms_sendmail. -- Nick |
|
From: Dan M. <oma...@lc...> - 2002-11-21 16:37:47
|
We run a free web server for non profits in our area. A bunch of groups are using formmail.pl. We'd like to set things up so we have to update the script in only one place. We are running suexec. Also it is possible that different sites will want different configurations. Could we submit a patch that will move the guts of formail.pl into a module that we could install centrally? I could see how this would complicate creating the distribution package a bit but I guess it would make life a lot easier for ISPs... |
|
From: Nick C. <ni...@cl...> - 2003-02-01 18:21:19
|
On Sat, Feb 01, 2003 at 09:46:47AM -0800, Nick Cleaton wrote: > > Added Files: > index.shtml > Log Message: > * add /v2/index.shtml to web site. Very rough and ready. /v2 in CVS now has pretty much everything needed to make releases of FormMail based on the modules. See /v2/README.developer.pod and /v2/Makefile for details. I have it set to upload to /v2 for now, which isn't linked from the rest of the site. The one thing I've done that I'm not really happy with is use dates as version numbers, so the latest version is called "version 2003-02-02-1726", rather than "version 3.14". I suspect that this will cause problems, since users won't know which of "2.21" and "2003-02-02-1726" is newer. My thinking at the moment is that a file in CVS will record a mapping between change dates and version numbers (starting from 3.01 maybe) and new version numbers will be allocated automatically at release. The pre-release procedure would be something like: check in your changes run the script that adds the dates of the changes you just made to the version number map. check the version number map into CVS -- Nick |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X