Changeset 67 for trunk/dnsbl/browse.cgi

Timestamp:

01/09/18 18:12:13 (6 years ago)

Author:

Kris Deugau

Message:

/trunk/dnsbl

Review and update copyright dates on DNSBL.pm, DNSBLweb.pm, browse.cgi,

delist-ip, dnsbl.cgi, and export-dnsbl. Also add a version requirement
on DNSBL.pm in any callers.

Update browse.cgi with limited search and some operational-sanity boundaries

instead of blindly barfing out the entire dataset, requiring code changes
to view only a subset of data.

File:

• trunk/dnsbl/browse.cgi (modified) (4 diffs)

trunk/dnsbl/browse.cgi

@@ -3 +3 @@
 ##
 # $Id$
-# Copyright 2009-2011,2014 Kris Deugau <kdeugau@deepnet.cx>
+# Copyright 2009-2012,2014,2018 Kris Deugau <kdeugau@deepnet.cx>
 #
 #    This program is free software: you can redistribute it and/or modify
@@ -23 +23 @@
 use DBI;
 use CGI::Carp qw(fatalsToBrowser);
+use CGI::Simple;
 use HTML::Template;
 
-use DNSBL;
+use DNSBL 2.2;
 use DNSBLweb;
 
@@ -49 +50 @@
 }
 
+# Set up the CGI object...
+my $q = new CGI::Simple;
+# ... and get query-string params as well as POST params if necessary
+$q->parse_query_string;
+
+my %webvar;
+# This is probably excessive fiddling, but it puts the parameters somewhere my fingers know about...
+foreach ($q->param()) {
+  $webvar{$_} = $q->param($_);
+}
+
+# try to be friendly to non-US-ASCII characters.  Still need to find what
+# difference from RH<->Debian is still at fault.
+print $q->header(-charset=>'utf8');
+
 my $dbh = $dnsbl->connect($dbhost, $dbname, $dbuser, $dbpass);
 
-print "Content-Type: text/html\n\n";
+my $block = '';
 
 my $templatedir = $ENV{SCRIPT_FILENAME};
@@ -65 +81 @@
 }
 
-my $template = HTML::Template->new(filename => "browse.tmpl");
+# basic validation so we don't try to look up something ridiculous
+if ($webvar{block}) {
+  $webvar{block} =~ s/\s+//g;
+  $block = $webvar{block} if $webvar{block} =~ /^[\d\.]+(?:\/\d+)?$/;
+}
 
-$template->param(pgtitle => $config{pgtitle}) if defined($config{pgtitle});
-$template->param(pgcomment => $config{pgcomment}) if defined($config{pgcomment});
+if ($block) {
+  my $template = HTML::Template->new(filename => "browse.tmpl");
 
-my $out = DNSBLweb::retlvl($dbh, $dnsbl, 0, block => '162.144.0.0/16');
+  $template->param(pgtitle => $config{pgtitle}) if defined($config{pgtitle});
+  $template->param(pgcomment => $config{pgcomment}) if defined($config{pgcomment});
 
-$template->param(enchilada => $out);
-print $template->output;
+  my $out;
+  if ($block =~ /^[\d\.]+$/) {
+    $out = DNSBLweb::retlvl($dbh, $dnsbl, 0, ip => $block, block => $dnsbl->getcontainer($block,0) );
+  } else {
+    $out = DNSBLweb::retlvl($dbh, $dnsbl, 0, block => $block);
+  }
+
+  $template->param(enchilada => $out);
+  print $template->output;
+
+} else {
+  # refuse to show the whole tree, as in a "real" dataset it's horribly slow.  even a /8 is often "a bit much"
+  print qq(
+<html>
+<head>
+<title>$config{pgtitle}</title>
+<body>
+$config{pgcomment}<br>
+);
+  if ($webvar{block}) {
+    $webvar{block} =~ s{[^\w]+}{_}g;  #neuter any attempts at funky data injection
+    print qq(<span style="border: 1px solid #FF0000;">Invalid netblock specification $webvar{block}</span>\n);
+  }
+print qq(
+<form action="browse.cgi" method="POST">
+Enter a CIDR netblock to browse.<br>
+This does not have to exactly match a netblock entered in the database.<br>
+<input name="block">
+<input type="submit">
+</form>
+</body>
+</html>
+);
+}