Mon Jan 9 05:58:01 UTC 2006 Alberto Bertogli * Fix cache behaviour on uncaught exceptions. This patch make darcsweb cancel the cache when there is an uncaught exception, avoiding leaving dot-files around the cache directory. Also minimize DoS by not taking into account unused form parameters, and make the hash independant of the position. This doesn't eliminate all the opportunities for DoS, but reduces them significatively. diff -rN -u old-darcsweb/darcsweb.cgi new-darcsweb/darcsweb.cgi --- old-darcsweb/darcsweb.cgi 2015-04-18 08:11:59.000000000 +0000 +++ new-darcsweb/darcsweb.cgi 2015-04-18 08:11:59.000000000 +0000 @@ -27,6 +27,14 @@ class config: pass +# exception handling +def exc_handle(t, v, tb): + try: + cache.cancel() + except: + pass + cgitb.handler((t, v, tb)) +sys.excepthook = exc_handle # # utility functions @@ -444,7 +452,7 @@ def __init__(self, basedir, url): self.basedir = basedir self.url = url - self.fname = sha.sha(url).hexdigest() + self.fname = sha.sha(repr(url)).hexdigest() self.file = None self.mode = None self.real_stdout = sys.stdout @@ -2232,6 +2240,12 @@ # check if we have the page in the cache if config.cachedir: url_request = os.environ['QUERY_STRING'] + # create a string representation of the request, ignoring all the + # unused parameters to avoid DoS + params = ['r', 'a', 'f', 'h', 'topi'] + params = [ x for x in form.keys() if x in params ] + url_request = [ (x, form[x].value) for x in params ] + url_request.sort() cache = Cache(config.cachedir, url_request) if cache.open(): # we have a hit, dump and run