[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Please Help CGIWrap

Subject: Re: [cobalt-users] Please Help CGIWrap
From: Keith Davis <cache@xxxxxxxxxx>
Date: Mon May 7 06:47:46 2001
Organization: Digital Odyssey Web Development
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Clayton Winter wrote:
> 
> The way cobalts provide cgi is quite differnet to my other experiences.
> How does CGIWrap work?
> I have formmail.cgi that many of my domain customers use how can I give

Formmail.pl will not run on a RaQ out of the box. You need to change
line 29 from
$mailprog = '/usr/lib/sendmail'; to $mailprog = '/usr/sbin/sendmail';

Also, formmail needs to be spamproofed. As is, it passes the email
recipient addresses to the script from the form. Formmail checks the
form's http_referer to guarantee that a spammer has not sent a form from
another server with different recipients. Http_referer is hackable so
this guarantee does not work. The alternative suggested at
http://www.cgi.tj/scripts/alienform/ 
uses the same concept and is just as hackable.

Since your clients are familiar with formmail you might consider
spamproofing it instead of training everyone to use something else. To
do so you need to know and list the recipient addresses on the script so
it can check against the recipients field sent from the form. 

On line 33 of the standard distribution create an array holding the
approved email recipient addresses like so:
@recipients = qw(abc@xxxxxxx xyz@xxxxxxx someone@xxxxxxxxxxxxx);
(note the single spaces separating the addresses)

Then on line 51 add the test:
unless("@recipients" =~ /$Config{'recipient'}/){&error('bad_recipient')}

Then go to line 565 and line 196 and change:
 'no_recipient'
to read
 'bad_recipient'

Then edit the html between lines 571 and 582 to reflect that an
unapproved recipient address was submitted. 

Your clients will not have to change anything on the forms they are
using. They will need to give you the email addresses that they want
their forms to send email to. There is no need to disable the
http_referer test, although it is not foolproof it does no harm.

If your clients are using multiple recipients replace the above line 33
unless test with the following, it will handle single and multiple
recipients if you've followed Matt's FAQ on using them:

@R=split(/,/, $Config{'recipient'});
foreach (@R){
unless("@recipients" =~ /$_/){&error('bad_recipient')}
}

As for CGIWrap, you're probably used to Perl scripts running as 'nobody'
or 'http'. On a RaQ Perl has to also run the server through the GUI so
scripts run as the owner of the script. If root owns the script it runs
as root, if admin is the owner it runs as admin, if the siteadmin user
owns it, it runs as the siteadmin. The main difference you'll probably
encounter will be the permissions needed to rw files. If the script and
data file are owned by the same user 0600 will do, which also restricts
access to the owner, a script owned by the owner, and SU. If the script
and file are owned by different users the file will need the 0666 you're
probably familiar with. However, 0666 will allow any script in any
domain to also rw that file. If your clients are using scripts and
storing sensitive data, be sure they understand that those rules have
changed.

keith

Follow-Ups:
- [cobalt-users] Portsentry unable to listen to UDP ports
  - From: Zarrir Junior

References:
- [cobalt-users] Please Help CGIWrap
  - From: Clayton Winter

Prev by Date: Re: AW: [cobalt-users] Nameserver RaQ4
Next by Date: [cobalt-users] SSL Server
Previous by thread: [cobalt-users] Email Aliases
Next by thread: [cobalt-users] Portsentry unable to listen to UDP ports

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index