Mon Jan 9 05:58:01 UTC 2006 Alberto Bertogli <albertogli@telpin.com.ar>
* Fix cache behaviour on uncaught exceptions.
This patch make darcsweb cancel the cache when there is an uncaught exception,
avoiding leaving dot-files around the cache directory.
Also minimize DoS by not taking into account unused form parameters, and make
the hash independant of the position. This doesn't eliminate all the
opportunities for DoS, but reduces them significatively.
diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi
--- old-darcsweb/darcsweb.cgi 2013-12-18 22:02:35.000000000 +0000
+++ new-darcsweb/darcsweb.cgi 2013-12-18 22:02:35.000000000 +0000
@@ -27,6 +27,14 @@
class config:
pass
+# exception handling
+def exc_handle(t, v, tb):
+ try:
+ cache.cancel()
+ except:
+ pass
+ cgitb.handler((t, v, tb))
+sys.excepthook = exc_handle
#
# utility functions
@@ -444,7 +452,7 @@
def __init__(self, basedir, url):
self.basedir = basedir
self.url = url
- self.fname = sha.sha(url).hexdigest()
+ self.fname = sha.sha(repr(url)).hexdigest()
self.file = None
self.mode = None
self.real_stdout = sys.stdout
@@ -2232,6 +2240,12 @@
# check if we have the page in the cache
if config.cachedir:
url_request = os.environ['QUERY_STRING']
+ # create a string representation of the request, ignoring all the
+ # unused parameters to avoid DoS
+ params = ['r', 'a', 'f', 'h', 'topi']
+ params = [ x for x in form.keys() if x in params ]
+ url_request = [ (x, form[x].value) for x in params ]
+ url_request.sort()
cache = Cache(config.cachedir, url_request)
if cache.open():
# we have a hit, dump and run