[PATCH] Updated upload.cgi to check group permissions.
Ricky Zhou
ricky at fedoraproject.org
Fri Mar 13 22:32:28 UTC 2009
---
configs/web/applications/upload.cgi | 49 +++++++++++++++++++---------------
1 files changed, 27 insertions(+), 22 deletions(-)
mode change 100755 => 100644 configs/web/applications/upload.cgi
diff --git a/configs/web/applications/upload.cgi b/configs/web/applications/upload.cgi
old mode 100755
new mode 100644
index 3629fdd..74cb2bb
--- a/configs/web/applications/upload.cgi
+++ b/configs/web/applications/upload.cgi
@@ -5,6 +5,7 @@
# every step along the way...
#
# $Id: upload.cgi,v 1.10 2005/04/15 23:44:24 gafton Exp $
+# License: GPL
import os
import sys
@@ -15,7 +16,6 @@ import tempfile
import StringIO
import grp
-
# reading buffer size
BUFFER_SIZE = 4096
@@ -25,6 +25,8 @@ DEBUG = 0
# We check modules exist from this dircetory
CVSREPO = "/cvs/pkgs/rpms"
+# Fedora Packager Group
+PACKAGER_GROUP = "packager"
# log a trace of what we're doing
def log_msg(*msgs):
@@ -57,9 +59,9 @@ def send_ok(text):
# check and validate that all the fields are present
def check_form(var):
if not form.has_key(var):
- send_error("required field '%s' is not present" % (var,))
+ send_error("Required field '%s' is not present" % (var,))
ret = form.getvalue(var)
- if type(ret) == type([]):
+ if type(ret) == list:
send_error("Multiple values given for '%s'. Aborting" % (var,))
ret = os.path.basename(ret) # this is a path component
return ret
@@ -75,24 +77,23 @@ def check_dir(tmpdir, wok = os.W_OK):
send_error("Path %s is not a directory." % (tmpdir,))
return 1
-#
-# MAIN START
-#
-auth_username = auth_password = None
-need_auth = 1
+authenticated = False
+
if os.environ.has_key('SSL_CLIENT_S_DN_CN'):
auth_username = os.environ['SSL_CLIENT_S_DN_CN']
- need_auth = 0
+ if auth_username in grp.getgrnam(PACKAGER_GROUP)[3]:
+ authenticated = True
pieces = os.environ['REQUEST_URI'].split('/')
assert pieces[1] == 'repo'
-if need_auth:
- print """Status: 403 Unauthorized to access the document
+if not authenticated
+ print """Status: 403 Forbidden
Content-type: text/plain
-"""
- sys.exit(0)
+You must be in the %s group to upload.
+""" % PACKAGER_GROUP
+ sys.exit(0)
form = cgi.FieldStorage()
NAME = check_form("name")
@@ -103,11 +104,11 @@ MD5SUM = check_form("md5sum")
# In a submission, we don;t get a FILENAME, just the FILE.
FILE = None
FILENAME = None
+
if form.has_key("filename"):
# check the presence of the file
FILENAME = check_form("filename")
- log_msg("Checking file status",
- "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM))
+ log_msg("Checking file status", "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM))
else:
if form.has_key("file"):
FILE = form["file"]
@@ -119,14 +120,15 @@ else:
send_error("Could not extract the filename for upload. Aborting")
else:
send_error("required field '%s' is not present" % ("file", ))
- log_msg("Processing upload request",
- "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM))
-# Now that all the fields are valid,, figure out our operating environment
+ log_msg("Processing upload request", "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM))
+
+# Now that all the fields are valid, figure out our operating environment
if not os.environ.has_key("SCRIPT_FILENAME"):
send_error("My running environment is funky. Aborting")
# start processing this request
my_script = os.environ["SCRIPT_FILENAME"]
+
# the module's top level directory
my_topdir = os.path.dirname(my_script)
my_moddir = "%s/%s" % (my_topdir, NAME)
@@ -149,17 +151,17 @@ if os.access(file_dest, os.F_OK | os.R_OK):
message = "Available"
else:
FILE.file.close()
- message = "File %s already exists\nFile: %s Size: %d" % (
- FILENAME, file_dest, s[stat.ST_SIZE])
+ message = "File %s already exists\nFile: %s Size: %d" % (FILENAME, file_dest, s[stat.ST_SIZE])
send_ok(message)
sys.exit(0)
+
# just checking?
if FILE is None:
send_ok("Missing")
sys.exit(-9)
-
+
# check that all directories are in place
-for tmpdir in [ my_topdir, my_moddir, my_filedir, my_md5dir]:
+for tmpdir in [my_topdir, my_moddir, my_filedir, my_md5dir]:
if not check_dir(tmpdir):
# we agree to create this directory if the corresponding cvs module dir exists
if tmpdir == my_moddir:
@@ -187,18 +189,21 @@ while 1:
tmpfd.write(s)
m.update(s)
FILELENGTH = FILELENGTH + len(s)
+
# now we're done reading, check the MD5 sum of what we got
tmpfd.close()
my_md5sum = m.hexdigest()
if MD5SUM != my_md5sum:
send_error("MD5 check failed. Received %s instead of %s" % (
my_md5sum, MD5SUM))
+
# wow, even the MD5SUM matches. make sure full path is valid now
for tmpdir in [ my_moddir, my_filedir, my_md5dir ]:
if not check_dir(tmpdir):
os.mkdir(tmpdir, 02775)
log_msg("mkdir", tmpdir)
# and move our file to the final location
+
os.rename(tmpfile, file_dest)
log_msg("Stored filesize", FILELENGTH, file_dest)
--
1.5.5.6
More information about the Fedora-infrastructure-list
mailing list