From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]) by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id b42cf2c5 for ; Thu, 21 Mar 2019 11:32:16 -0500 (EST) Date: Thu, 21 Mar 2019 11:32:16 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: cvsweb: A web server should absolutely run chrooted, so storing a X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: Log Message: ----------- A web server should absolutely run chrooted, so storing a configuration file below /usr/local/etc/ makes no sense whatsoever. Also, the configuration file should certainly not be in a directory where files can get executed as CGI scripts, so looking in the same directory as cvsweb.cgi is a bad idea, too. Considerably simplify things by hardcoding a reasonable location. The INSTALL file already instructs the user to check this. Tags: ---- FreeBSD-cvsweb-2_0-branch Modified Files: -------------- cvsweb: cvsweb.cgi Revision Data ------------- Index: cvsweb.cgi =================================================================== RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v retrieving revision 3.119.2.11 retrieving revision 3.119.2.12 diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.11 -r3.119.2.12 --- cvsweb.cgi +++ cvsweb.cgi @@ -57,7 +57,7 @@ use strict; use vars qw ( $cvsweb_revision - $mydir $uname $config $allow_version_select $verbose + $uname $config $allow_version_select $verbose @CVSrepositories @CVSROOT %CVSROOT %CVSROOTdescr %MIRRORS %DEFAULTVALUE %ICONS %MTYPES @DIFFTYPES %DIFFTYPES @LOGSORTKEYS %LOGSORTKEYS @@ -151,18 +151,9 @@ delete $ENV{PATH}; $cvsweb_revision = '2.0.6'; -use File::Basename (); - -($mydir) = (File::Basename::dirname($0) =~ /(.*)/); # untaint - # == EDIT this == -# Locations to search for user configuration, in order: -for ("$mydir/cvsweb.conf", '/usr/local/etc/cvsweb/cvsweb.conf') { - if (defined($_) && -r $_) { - $config = $_; - last; - } -} +# Location of the configuration file inside the web server chroot: +$config = '/conf/cvsweb/cvsweb.conf'; # == Configuration defaults == # Defaults for configuration variables that shouldn't need -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv