Update of /cvsroot/tmda/tmda/contrib/cgi
In directory sc8-pr-cvs1:/tmp/cvs-serv25304
Modified Files:
Release.py
Log Message:
Import cgitb (if available) to improve debugging.
Caught an exception if the message ID cannot be parsed.
Added a seteuid and setegid before trying to read the crypt file.
Moved the "read in e-mail code" down later so that other, more descriptive
exceptions could be caught first.
Manually append the address to CONFIRM_APPEND since Pending.release() adds the
address to PENDING_RELEASE_APPEND instead.
Sabotage the value of PENDING_RELEASE_APPEND so that release does not add to
this list.
Index: Release.py
===================================================================
RCS file: /cvsroot/tmda/tmda/contrib/cgi/Release.py,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Release.py 14 Jan 2003 03:15:14 -0000 1.5
+++ Release.py 1 Feb 2003 05:13:09 -0000 1.6
@@ -23,6 +23,13 @@
This module is run when a user clicks a URL in a confirmation e-mail."""
+import cgi
+try:
+ import cgitb
+ cgitb.enable()
+except ImportError:
+ pass
+
import os
import pwd
import re
@@ -42,9 +49,14 @@
try:
UID, Timestamp, PID, HMAC = QueryString.split(".")
- User = pwd.getpwuid(int(UID))[0]
+ UserRec = pwd.getpwuid(int(UID))
+ User = UserRec[0]
+ GID = UserRec[3]
except ValueError:
- Fatal("format")
+ CgiUtil.TermError("Unable to parse query string." % \
+ (Timestamp, PID, HMAC), "Program error / corrupted link.",
+ "locate pending e-mail", "",
+ "Recheck link or contact TMDA programmers.")
MsgID = "%s.%s.msg" % (Timestamp, PID)
# Check to make sure they're not trying to access anything other than email
@@ -62,20 +74,20 @@
# Yes, replace it
os.environ["TMDARC"] = os.environ["TMDARC"].replace("/~/", "/%s/" % User)
+ # Try to change users
+ try:
+ os.seteuid(0)
+ os.setegid(0)
+ os.setegid(self.Vars["GID"])
+ os.seteuid(self.Vars["UID"])
+ except OSError:
+ pass
+
# Now that we know who we are, get our defaults
from TMDA import Defaults
from TMDA import Pending
from TMDA import Cookie
- # Read in e-mail
- try:
- MsgObj = Pending.Message(MsgID)
- except Errors.MessageError:
- CgiUtil.TermError("Message could not be fetched.",
- "Message has already been released or deleted.",
- "retrieve pending e-mail", "",
- "Inquire with recipient about e-mail.")
-
try:
Defaults.CRYPT_KEY
except AttributeError:
@@ -100,6 +112,15 @@
"retrieve pending e-mail", "",
"Recheck link or contact TMDA programmers.")
+ # Read in e-mail
+ try:
+ MsgObj = Pending.Message(MsgID)
+ except Errors.MessageError:
+ CgiUtil.TermError("Message could not be fetched.",
+ "Message has already been released or deleted.",
+ "retrieve pending e-mail", "",
+ "Inquire with recipient about e-mail.")
+
print """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
@@ -126,13 +147,14 @@
print "</table><br>"
- if Defaults.PENDING_WHITELIST_APPEND:
+ if Defaults.CONFIRM_APPEND:
ConfirmAddr = Util.confirm_append_address \
(
parseaddr(MsgObj.msgobj["x-primary-address"])[1],
parseaddr(MsgObj.msgobj["return-path"])[1]
)
- print "Future e-mails from <tt>%s</tt> will not have to be confirmed." % \
+ if ConfirmAddr and Util.append_to_file(ConfirmAddr,
Defaults.CONFIRM_APPEND):
+ print "Future e-mails from <tt>%s</tt> will not have to be confirmed." %
\
ConfirmAddr
print """ </td>
@@ -142,5 +164,8 @@
</table>
</body>
</html>"""
+
+ # Make sure release does not write to PENDING_RELEASE_APPEND
+ Defaults.PENDING_RELEASE_APPEND = None
MsgObj.release()
_______________________________________
tmda-cvs mailing list
http://tmda.net/lists/listinfo/tmda-cvs
|
