Re: cgi.debian.org redirect.pl abuse

[Frank Lichtenheld <djpig@debian.org>]

On Tue, Mar 23, 2004 at 12:39:29PM +0100, Björn Stenberg wrote:
> http://cgi.debian.org/cgi-bin/redirect.pl is being abused to create links to
> non-debian material that to uninformed users look as links to debian.org
> content.
> 
> An example:
>   http://slashdot.org/comments.pl?sid=101404&cid=8643344
> 
> I suggest the script be limited in what it allows redirection to.
> 
> (Please CC me on replies. I am not subscribed to the list.)

Hmm, I think we could tighten the requirements on the request because
only one of the possible redirects methods is actually used in
redirect.pl:

--- /org/cgi.debian.org/cgi-bin/redirect.pl	Mon Oct 28 04:21:09 2002
+++ redirect.pl	Tue Mar 23 06:47:45 2004
@@ -24,13 +24,13 @@
 
   # print $input->header('text/html'); -- not allowed according to CGI(3pm)
   $site = $input->param('site');
-  if ($input->param('page')) {
-    if ($site =~ /^\w\w$/) {
-      print $input->redirect("http://www.".$site.".debian.org".$input->param('page'))
-    } else {
-      print $input->redirect($site.$input->param('page'))
-    }
+  if ($input->param('page') && ($site =~ /^\w\w$/)) {
+      print $input->redirect("http://www.".$site.".debian.org".$input->param('page'));
   } else {
-    print $input->redirect($site);
+      print $input->header( -status => 400 );
+      print $input->start_html("Malformed parameters");
+      print $input->h1("Malformed parameters");
+      print $input->p("Sorry, couldn't redirect because one or more parameters were missing and/or malformed");
+      print $input->end_html;
   }
 }

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/