Mon Jan 9 05:58:01 UTC 2006 Alberto Bertogli <albertogli@telpin.com.ar>
* Fix cache behaviour on uncaught exceptions.
This patch make darcsweb cancel the cache when there is an uncaught exception,
avoiding leaving dot-files around the cache directory.
Also minimize DoS by not taking into account unused form parameters, and make
the hash independant of the position. This doesn't eliminate all the
opportunities for DoS, but reduces them significatively.
{
hunk ./darcsweb.cgi 30
+# exception handling
+def exc_handle(t, v, tb):
+ try:
+ cache.cancel()
+ except:
+ pass
+ cgitb.handler((t, v, tb))
+sys.excepthook = exc_handle
hunk ./darcsweb.cgi 455
- self.fname = sha.sha(url).hexdigest()
+ self.fname = sha.sha(repr(url)).hexdigest()
hunk ./darcsweb.cgi 2243
+ # create a string representation of the request, ignoring all the
+ # unused parameters to avoid DoS
+ params = ['r', 'a', 'f', 'h', 'topi']
+ params = [ x for x in form.keys() if x in params ]
+ url_request = [ (x, form[x].value) for x in params ]
+ url_request.sort()
}