Changeset 23389

Show
Ignore:
Timestamp:
06.12.2010 13:39:26 (9 years ago)
Author:
mdewsnip
Message:

Commented out the code (3 occurrences) from cgiwrapper that reads and returns the error.txt file content, as I think it's a really bad idea. The error.txt file may be very large, causing out of memory problems and even crashing the machine in extreme cases where multiple processes are causing this type of error (e.g. automated processes that try to "hack" the Greenstone site by supplying values such as site URLs for the CGI arguments -- this actually happens). Also, the error.txt may contain information that shouldn't be exposed (such as usage or query information). Maybe this should be configurable through a main.cfg configuration setting, but I don't think it's worth it -- the only people who should need the contents of this file should have access to it through the file system. I think you can also view the contents of this file through the statusaction if you have a suitable login.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/cgiwrapper.cpp

    r22142 r23389  
    233233 
    234234  text_t error_file = filename_cat (gsdlhome, "etc", "error.txt"); 
    235   char *efile = error_file.getcstr(); 
    236   ifstream errin (efile); 
    237   delete []efile; 
    238   if (errin) { 
    239     errortext += "The error log, " + error_file + ", contains the\n"; 
    240     errortext += "following information:\n\n"; 
    241     if (!debug) errortext += "<pre>\n"; 
    242  
    243     char c; 
    244     errin.get(c); 
    245     while (!errin.eof ()) { 
    246       errortext.push_back(c); 
    247       errin.get(c); 
    248     } 
     235  // This is all commented out because I think it's a really bad idea 
     236  // The error.txt file may be very large, causing out of memory problems and even crashing the machine in extreme 
     237  //   cases where multiple processes are causing this type of error (e.g. automated processes that try to "hack" 
     238  //   the Greenstone site by supplying values such as site URLs for the CGI arguments -- this has happened) 
     239  // Also, the error.txt may contain information that shouldn't be exposed (such as usage or query information) 
     240  // Maybe this should be configurable through a main.cfg configuration setting, but I don't think it's worth it 
     241  // The only people who should need the contents of this file should have access to it through the file system 
     242  // I think you can also view the contents of this file through the statusaction if you have a suitable login 
     243//   char *efile = error_file.getcstr(); 
     244//   ifstream errin (efile); 
     245//   delete []efile; 
     246//   if (errin) { 
     247//     errortext += "The error log, " + error_file + ", contains the\n"; 
     248//     errortext += "following information:\n\n"; 
     249//     if (!debug) errortext += "<pre>\n"; 
     250 
     251//     char c; 
     252//     errin.get(c); 
     253//     while (!errin.eof ()) { 
     254//       errortext.push_back(c); 
     255//       errin.get(c); 
     256//     } 
    249257     
    250     if (!debug) errortext += "</pre>\n"; 
    251  
    252     errin.close(); 
    253  
    254   } else { 
     258//     if (!debug) errortext += "</pre>\n"; 
     259 
     260//     errin.close(); 
     261 
     262//   } else { 
    255263    errortext += "Please consult " + error_file + " for more information.\n"; 
    256   } 
     264//   } 
    257265 
    258266  format_error_string (errorpage, errortext, debug); 
     
    264272 
    265273  text_t error_file = filename_cat (gsdlhome, "etc", "error.txt"); 
    266   char *efile = error_file.getcstr(); 
    267   ifstream errin (efile); 
    268   delete []efile; 
    269   if (errin) { 
    270     errortext += "The error log, " + error_file + ", contains the\n"; 
    271     errortext += "following information:\n\n"; 
    272     if (!debug) errortext += "<pre>\n"; 
    273  
    274     char c; 
    275     errin.get(c); 
    276     while (!errin.eof ()) { 
    277       errortext.push_back(c); 
    278       errin.get(c); 
    279     } 
    280     if (!debug) errortext += "</pre>\n"; 
    281     errin.close(); 
    282  
    283   } else { 
     274  // This is all commented out because I think it's a really bad idea 
     275  // The error.txt file may be very large, causing out of memory problems and even crashing the machine in extreme 
     276  //   cases where multiple processes are causing this type of error (e.g. automated processes that try to "hack" 
     277  //   the Greenstone site by supplying values such as site URLs for the CGI arguments -- this has happened) 
     278  // Also, the error.txt may contain information that shouldn't be exposed (such as usage or query information) 
     279  // Maybe this should be configurable through a main.cfg configuration setting, but I don't think it's worth it 
     280  // The only people who should need the contents of this file should have access to it through the file system 
     281  // I think you can also view the contents of this file through the statusaction if you have a suitable login 
     282//   char *efile = error_file.getcstr(); 
     283//   ifstream errin (efile); 
     284//   delete []efile; 
     285//   if (errin) { 
     286//     errortext += "The error log, " + error_file + ", contains the\n"; 
     287//     errortext += "following information:\n\n"; 
     288//     if (!debug) errortext += "<pre>\n"; 
     289 
     290//     char c; 
     291//     errin.get(c); 
     292//     while (!errin.eof ()) { 
     293//       errortext.push_back(c); 
     294//       errin.get(c); 
     295//     } 
     296//     if (!debug) errortext += "</pre>\n"; 
     297//     errin.close(); 
     298 
     299//   } else { 
    284300    errortext += "Please consult " + error_file + " for more information.\n"; 
    285   } 
     301//   } 
    286302 
    287303  format_error_string (errorpage, errortext, debug); 
     
    293309 
    294310  text_t error_file = filename_cat (gsdlhome, "etc", "error.txt"); 
    295   char *efile = error_file.getcstr(); 
    296   ifstream errin (efile); 
    297   delete []efile; 
    298   if (errin) { 
    299     errortext += "The error log, " + error_file + ", contains the\n"; 
    300     errortext += "following information:\n\n"; 
    301     if (!debug) errortext += "<pre>\n"; 
    302  
    303     char c; 
    304     errin.get(c); 
    305     while (!errin.eof ()) { 
    306       errortext.push_back(c); 
    307       errin.get(c); 
    308     } 
    309     if (!debug) errortext += "</pre>\n"; 
    310     errin.close(); 
    311  
    312   } else { 
     311  // This is all commented out because I think it's a really bad idea 
     312  // The error.txt file may be very large, causing out of memory problems and even crashing the machine in extreme 
     313  //   cases where multiple processes are causing this type of error (e.g. automated processes that try to "hack" 
     314  //   the Greenstone site by supplying values such as site URLs for the CGI arguments -- this has happened) 
     315  // Also, the error.txt may contain information that shouldn't be exposed (such as usage or query information) 
     316  // Maybe this should be configurable through a main.cfg configuration setting, but I don't think it's worth it 
     317  // The only people who should need the contents of this file should have access to it through the file system 
     318  // I think you can also view the contents of this file through the statusaction if you have a suitable login 
     319//   char *efile = error_file.getcstr(); 
     320//   ifstream errin (efile); 
     321//   delete []efile; 
     322//   if (errin) { 
     323//     errortext += "The error log, " + error_file + ", contains the\n"; 
     324//     errortext += "following information:\n\n"; 
     325//     if (!debug) errortext += "<pre>\n"; 
     326 
     327//     char c; 
     328//     errin.get(c); 
     329//     while (!errin.eof ()) { 
     330//       errortext.push_back(c); 
     331//       errin.get(c); 
     332//     } 
     333//     if (!debug) errortext += "</pre>\n"; 
     334//     errin.close(); 
     335 
     336//   } else { 
    313337    errortext += "Please consult " + error_file + " for more information.\n"; 
    314   } 
     338//   } 
    315339 
    316340  format_error_string (errorpage, errortext, debug);