cvsweb authentication implementation

Gaël Vittu gael.vittu-ext at cnamts.fr
Wed Aug 29 00:09:31 PDT 2007 

Hello,

This message comes to you because Perl is lauched in 'tainted' mode (1st 
line on cvsweb.cgi => -T)
To use variables, you'll have to check it before using it.

In my version of CVSWeb, i've got to read configuration files so that 
users can use their own profiles. Let say that '$myvar' is the name of 
that profile. I have to add '.conf' to create the name of the fonc file:

Try this:
    if ($myvar =~ /^([-\@\w.]+)$/) {
      $myvar = "$myvar" . ".conf"; # $myvar is now clean (perl option -T)
    }

If your interrested with my version so that your users can create their 
own profiles, let me now.

Gaël

Thiago Lacerda Zago a écrit :
> Hi,
>
>  
>
> I’m implementing let me say sort of authentication in cvsweb so that only our permitted staff could use this tool through our intranet.
>
>  
>
> I’m doing so reading php session that the starting page  that calls cvsweb.cgi. and using PHP::Session to retrieve the user provided data. Then I’m propagating the session id through all cvsweb.cgi links through method get and cgi param().
>
>  
>
> I almost done with this task but now I am facing a problem that I was not able to solve yet.
>
>  
>
> When I click in the link that follows the icon to show the revisions graphically, the reference link is http://xxx/cgi-bin/ /cvsweb.cgi/dcn_cor/router.db?graph=1;sid=5s4gj964cd4c2j88ljsxz3qopr
>
> Where sid=5s4gj964cd4c2j88ljsxz3qopr in this case is the php session id that I’m sending along the link http://xxx/cgi-bin/ /cvsweb.cgi/dcn_cor/router.db?graph=1 so that the graph page could be authenticated and allowed to be displayed as well.
>
>  
>
> The problem is that I keep getting this error message.
>
>
> :: Error ::
>
>
> Error: '/usr/bin/cvsgraph -r /usr/local/rancid/var/CVS -m dcn_cor/configs/ -i -M CvsGraphMap -x x -Omap_branch_href="href=\"./?only_with_tag=%(%t%);sortby=date\"" -Omap_rev_href="href=\"?rev=%(%R%);sortby=date\"" -Omap_diff_href="href=\"%(0.000000%).diff?sid=5s4gj964cd4c2j88ljsxz3qopr;r1=%(%P%);r2=%(%R%);sortby=date\"" -c /etc/cvsgraph.conf router005,v' failed: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/site_perl/5.8.0/IPC/Run.pm line 1272. at /xxx/www/cgi-bin/cvsweb.cgi line 4545 
>
>  
>
> The customized to accomplish this is sub doGraphView()
>
>  
>
> The funny thing is that this error occurs only when I add a ?sid=$id to the array @graph_cmd as shown right below.
>
>  
>
> my @graph_cmd =
>
>     ($CMD{cvsgraph},
>
>      '-r', $cvsroot,
>
>      '-m', $pathname,
>
>      '-i',
>
>      '-M', $mapname,
>
>      '-x', 'x',
>
>      "-Omap_branch_href=\"href=\\\"./?only_with_tag=%(%t%)$notag_query\\\"\"",
>
>      "-Omap_rev_href=\"href=\\\"?rev=%(%R%)$barequery\\\"\"",
>
>      "-Omap_diff_href=\"href=\\\"%(%F%).diff" .
>
>      "?sid=$id;r1=%(%P%);r2=%(%R%)$barequery\\\"\"" ,
>
>      );
>
>  
>
> If I do the same thing but this time manually writing the var ?sid=5s4gj964cd4c2j88ljsxz3qopr it just works fine and no error is issued at all.
>
>  
>
> my @graph_cmd =
>
>     ($CMD{cvsgraph},
>
>      '-r', $cvsroot,
>
>      '-m', $pathname,
>
>      '-i',
>
>      '-M', $mapname,
>
>      '-x', 'x',
>
>      "-Omap_branch_href=\"href=\\\"./?only_with_tag=%(%t%)$notag_query\\\"\"",
>
>      "-Omap_rev_href=\"href=\\\"?rev=%(%R%)$barequery\\\"\"",
>
>      "-Omap_diff_href=\"href=\\\"%(%F%).diff" .
>
>      "?sid=5s4gj964cd4c2j88ljsxz3qopr;r1=%(%P%);r2=%(%R%)$barequery\\\"\"" ,
>
>      );
>
>  
>
> Any hint to how to solve this problem and/or a better solution to implementing a cvsweb authentication?
>
>  
>
> Thanks in advance.
>
>  
>
> Thiago Zago 
>
>  
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition. 
> Version: 7.5.484 / Virus Database: 269.12.10/976 - Release Date: 27/8/2007 18:20
>  
> _______________________________________________
> freebsd-cvsweb at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
> To unsubscribe, send any mail to "freebsd-cvsweb-unsubscribe at freebsd.org"
>
>
>   

-- 
Gaël VITTU - DDSI/DIQ/DRI
     04.76.69.43.91



*****************************************************
"Le contenu de ce courriel et ses eventuelles pièces jointes sont
confidentiels. Ils s'adressent exclusivement à la personne destinataire.
Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur,
et afin de ne pas violer le secret des correspondances, vous ne devez pas
le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer
à l'émetteur et de le détruire.

Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération
du présent courriel. Il appartient au destinataire de vérifier que les
messages et pièces jointes reçus ne contiennent pas de virus.
Les opinions contenues dans ce courriel et ses éventuelles pièces
jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme
sauf s'il en est disposé autrement dans le présent courriel."
******************************************************

More information about the freebsd-cvsweb mailing list