From 3c09af9cc854c716d9f772d1c8c1e568cacc92b9 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Thu, 25 Aug 2016 22:26:34 -0700 Subject: [PATCH] use cgi dir for better security --- _site/{comment.rb => cgi/comment} | 26 +++++++++++++++----------- b.rb | 9 +++++---- build.rb | 4 +++- setup.sh | 11 +++++++++-- 4 files changed, 32 insertions(+), 18 deletions(-) rename _site/{comment.rb => cgi/comment} (92%) diff --git a/_site/comment.rb b/_site/cgi/comment similarity index 92% rename from _site/comment.rb rename to _site/cgi/comment index 14f1152..b1e8796 100755 --- a/_site/comment.rb +++ b/_site/cgi/comment @@ -27,9 +27,12 @@ require 'fileutils' require 'time' require 'sqlite3' -require_relative '../b' +Dir.chdir(File.join(File.dirname(__FILE__), '..')) + +require '../b' include B + # constanty things DEBUG = true CAPTCHA = -> { @@ -77,11 +80,11 @@ EOF def do_captcha captcha_q = CAPTCHA.sample[0] puts "Content-type: text/html\n\n" - puts skel('comment.rb', "#{DN}/captcha", <blog / comment-captcha') + puts skel("#{DN}/captcha", <blog / captcha')

Hello friend. I haven't read a post from #{IP}, and I only remember for a few months, so:

#{captcha_q}

-
+ @@ -106,7 +109,6 @@ def fail(msg) end def redir - File.write('/tmp/x', GOTO) puts 'Status: 302 Found' puts "Location: #{GOTO}#comment-section\n\n" exit(0) @@ -126,18 +128,18 @@ if cgi.has_key?('goto') GOTO = cgi['goto'] else GOTO = '/' - fail['redir to /'] + fail('redir to /') end if (cgi.has_key?('url') && cgi['url'] != "") || ! cgi.has_key?('comment') - fail["comment not in form or url in form. cgi.params: #{cgi.params}"] + fail("comment not in form or url in form. cgi.params: #{cgi.params}") end COMMENT_TXT = cgi["comment"] if COMMENT_TXT.length > 1000 or GOTO.length > 150 - fail['length of comment or goto is too great'] + fail('length of comment or goto is too great') end @@ -154,12 +156,12 @@ end found = false Dir.foreach('blog') do |entry| next if ['.','..'].any? { |f| f == entry } - if GOTO == 'blog/' + entry + if GOTO == '/blog/' + entry found = true break end end - fail['goto entry not found'] unless found + fail('goto entry not found') unless found }[] ######### end error checking & arg parsing ######## @@ -194,18 +196,20 @@ SQL unless state older_date = NOW - DAY*2 - last_moderated = $db.execute(<<-SQL, [older_date])[-1][0] + last_moderated = $db.execute(<<-SQL, [older_date])[-1] select date from c where ip = '#{IP}' and ( state = 'moderated' or (date < ? and (state = 'timed' or state = 'known'))) SQL - last_good = $db.execute(<<-SQL, [older_date])[-1][0] + last_moderated = last_moderated[0] if last_moderated + last_good = $db.execute(<<-SQL, [older_date])[-1] select date from c where ip = '#{IP}' and ( state = 'picked' or (date < ? and (state = 'timed' or state = 'known'))) SQL + last_good = last_good[0] if last_good if last_moderated && last_good if last_good > last_moderated state = 'known' diff --git a/b.rb b/b.rb index 511ac8d..2a612a6 100644 --- a/b.rb +++ b/b.rb @@ -49,6 +49,7 @@ module B # blog module end def fwrite(output_path, string) + output_path = File.join('./', output_path) FileUtils.mkdir_p(File.dirname(output_path)) File.write(output_path, string) end @@ -161,11 +162,11 @@ EOF b = File.basename(file,'.md') # date is in the format: YYYY-MM-DD- date = Time.parse(b[0..DATE_LEN]) - rel_path = "blog/#{b[(DATE_LEN + 1)..-1]}.html" + rel_path = "/blog/#{b[(DATE_LEN + 1)..-1]}.html" comments = $db.execute <<-SQL, [WAIT_DATE] select comment, date from c where page = '#{rel_path}' and ( - state = 'picked' or state = 'known' + state = 'picked' or state = 'known' or state = 'timed' or (state = 'waiting' and date < ?)) SQL # get earliest comment. earlier ones stored in git will also be @@ -221,7 +222,7 @@ EOF comment_html("Note: there #{text} pending approval.", NOW) end com_section = <<-EOF - + @@ -270,7 +271,7 @@ EOF footer: footer_extra, comments: com_section, description: description) - url="#{DURL}/#{rel_path}" + url="#{DURL}#{rel_path}" # following from https://creativecommons.org/choose, diff --git a/build.rb b/build.rb index 4a6c268..4025eef 100755 --- a/build.rb +++ b/build.rb @@ -84,6 +84,8 @@ stdpage('blog', < EOF -stdpage('resume', md_to_html(File.read('../resume.md'))) +if File.exists? ('../resume.md') + stdpage('resume', md_to_html(File.read('../resume.md'))) +end stdpage('favorite-stuff', File.read('../favorite-stuff.html')) diff --git a/setup.sh b/setup.sh index 3230bba..66953c5 100755 --- a/setup.sh +++ b/setup.sh @@ -20,7 +20,8 @@ set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR -cd "${BASH_SOURCE%/*}" +script_dir=$(readlink -f "${BASH_SOURCE%/*}") +cd "$script_dir" domain=${1:-iankelling.org} # use argument for testing site gitroot=/a/bin/githtml @@ -91,6 +92,11 @@ apache-site - $domain < + + Options +ExecCGI + SetHandler cgi-script + + # redirect some old paths when I was using jekyll. Redirect permanent /10-14-2014/On2-vote-results.html /blog/on2-vote-results.html Redirect permanent /09-29-2014/say-On2.html /blog/say-on2.html @@ -178,4 +184,5 @@ gitweb_descriptions() { gitweb_descriptions -./build.rb +$script_dir/build.rb +s lnf -T $script_dir/_site /var/www/$domain/html -- 2.30.2