[Popcon-developers] Bug#239097: HTTP Post method for popcon
Bill Allombert
Bill Allombert <allomber@math.u-bordeaux.fr>, 239097@bugs.debian.org
Thu, 17 Feb 2005 23:28:37 +0100
On Tue, Feb 15, 2005 at 11:36:47AM +0000, Thom May wrote:
> * Bill Allombert (allomber@math.u-bordeaux.fr) wrote :
> > On Tue, Feb 08, 2005 at 12:46:14PM +0000, Thom May wrote:
> Ubuntu uses POST by default, yes (we don't setup an mta by default).
> There's no config file; popcon-upload just takes data on stdin.
How does popcon decide to report or not without a config file ?
> the relevant bit of the crontab is simply:
>
> run_popcon \
> | tee /var/log/popularity-contest \
> | /usr/sbin/popcon-upload >/dev/null 2>&1
Thanks for the information.
I have reviewed the CGI script, and I found some problems:
Apparently it bypasses the prepop.pl script by writing directly to the
popcon-data directory, however it does not implement 3 features of that
scripts:
1) It fails to check whether the first field is 'POPULARITY-CONTEST-0'
and the last line is 'END-POPULARITY-CONTEST-0'. This might be more
important if we implement version 1 style reports (which would start
by 'POPULARITY-CONTEST-1'.
2) It does not check if the hash match /^([a-f0-9]{32})$/. This is a
security hole, this allow an attacker to write arbitrary files on the
server with arbitrary contents.
3) It does not compare the timestamp of the header with the one of the
previous version of the file.
Also there is no locking performed when writing files, so two cgi
instance can try to write to a file at the same time.
One way to address that: compute a random id for each messages and store
them (without checking them) in a directory (maildir style).
The cronjob will concatenate all the files and pass that to prepop.pl.
After that you can empty the directory.
> > Also, popcon-upload.py is a python script. This will force user to
> > install python to use HTTP POST, and such users will always report
> > python as 'used in the last month' so this will artificially inflate the
> > usage of python in popcon stats. So I would prefer to stick with perl.
> >
> *shrug*; your choice. Given the number of other utilities in python, such as
> reportbug, I don't see this as a big deal.
Well, but according to popcon stats, python is only 93th.
(popcon.ubuntu.com does not show any stats, is it normal ?)
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.