Discussion:
/cgi-bin/ hardcoded
Tek Support
2005-08-07 10:26:00 UTC
Permalink
Dear Creator:

I'd just like to point out that hardcoding /cgi-bin/ into program is
perhaps a bad idea (v2.3.6).

I already have a /cgi-bin/ directory which my users/customers use.
Since I use qmail, its an obvious test for any hacker/cracker to see
if I have the /vqadmin/ installed via the default path. I don't want
that, I want it in my own administration directory with all of my
other admin tools. So I simply created a new cgi-bin scriptalias into
my apache which resides inside of my administration folder, and, I
thought I would be set.

I've been fumbling around for many hours trying to get the ACL's
working right, when it turns out its not the ACL, but that your
actually hardcoding /cgi-bin/. And even though your ./configure
allows one to set the cgibindir flag, its doesn't do much good if your
hardcoding /cgi-bin/ into the source.

I'll get by. I've edited all the .html files in your "html"
directory, and thought I was done. But still the link on the bottom
of the page for "Main VqAdmin" is still linking to cgi-bin. So now
I've found that you also have it hardcoded into "domain.c" and
"user.c". If your going to allow me to change the install folder,
then you shouldn't have it hardcoded. Thanks for the program, but
perhaps this is something you can attend to for anyone else who can't
figure out whats going on.

Not what I'd expect from a C programmer.

Thanks
TekSaPort
Paul Theodoropoulos
2005-08-07 16:55:53 UTC
Permalink
Post by Tek Support
Not what I'd expect from a C programmer.
yes, in my experience, i've always found that people are much more
willing to help me when i start off by insulting them.

best of luck to you, 'teksa'.


Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
John Simpson
2005-08-08 21:21:25 UTC
Permalink
Post by Paul Theodoropoulos
Post by Tek Support
Not what I'd expect from a C programmer.
yes, in my experience, i've always found that people are much more
willing to help me when i start off by insulting them.
funny, i don't remember a question in his original message.

i also don't remember seeing your name in the source code. the
message wasn't even sent to you, why go out of your way to attack
somebody with a legitimate complaint? calm down, the man's got
something to say, and i thought he did a pretty good job of saying it.

if you've been on this list for a while, you can't tell me you
haven't heard the same complaint about hard-coded path names several
times already. i know it's been said, because i complained about this
two years ago, back when i tried to get vqadmin running somewhere
other than a "/cgi-bin/" directory, even going so far as to write a
patch to fix the issue.

my complaint, and my patch, were ignored back then- just as i fully
expect them to be ignored by inter7 now.

sure, it's cool that you can click a link on their web site and
they'll send you a pen and some sticky notes with their logo, but the
fact that the version of vqadmin which is available for download on
inter7's web site is the same one that i wrote my patch against, TWO
YEARS AGO, tells me something.

almost all of inter7's software seems to suffer from the same
problem, having paths hard-coded into the programs. a WORKING method
of changing the directory and the URL path of the program in vqadmin
would be nice- although what would be even nicer would be if the
program would just look at the values of the SCRIPT_URI and
DOCUMENT_ROOT environment variables and figure it out at run time...

rather like a patch that i wrote two years ago.

again, i fully expect to be ignored by inter7- if there are indeed
any inter7 employees reading this list anymore. two years with no
updates, especially where there are known issues with the software,
and a patch just sitting out there on the net which has been offered
to you for free and fixes the issue... it's just plain sad.

for the benefit of "TekSaPort" and anybody else who's interested,
check out http://qmail.jms1.net/ ... about 3/4 of the way down the
page (search for "vqadmin") you will find a patch which fixes the
problem.

i know it worked on my own server two years ago, but i found that i
prefer using the command line tools over vqadmin anyway, so i no
longer use it... but if anybody finds any problems with it, please
let me know.

--------------------------------------------------
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/ <***@jms1.net> |
--------------------------------------------------
| Mac OS X proves that it's easier to make UNIX |
| pretty than it is to make Windows secure. |
--------------------------------------------------
Paul Theodoropoulos
2005-08-08 23:33:44 UTC
Permalink
Post by John Simpson
Post by Paul Theodoropoulos
Post by Tek Support
Not what I'd expect from a C programmer.
yes, in my experience, i've always found that people are much more
willing to help me when i start off by insulting them.
funny, i don't remember a question in his original message.
"help" does not necessarily imply a question. he wants vqadmin
recoded to not have hard-coded /cgi-bin/. i don't see the developers
necessarily deciding they need to jump through hoops to do what this
person wants, when he opens by insulting them. furthermore, i may be
mistaken, but this is open source software. if you don't like
something about the software, you can either ask for it (nicely,
which usually is...nice) or you can *code it yourself*. 'teksaport'
says the quality of code is "not what [he'd] expect from a C
programmer". this implies he can do better. have at it, i say.
Post by John Simpson
i also don't remember seeing your name in the source code.
it's not. so what?
Post by John Simpson
the
message wasn't even sent to you, why go out of your way to attack
somebody with a legitimate complaint?
the message was sent to the vqadmin mailing list. it was, therefore,
sent to me. you have a strange notion of what an 'attack' is.
Post by John Simpson
calm down, the man's got
something to say, and i thought he did a pretty good job of saying it.
'calm down'? i'll note that i've just trimmed thirty-three lines,
across eight paragraphs (not including seven line sig) following your
comment above. and i'm the one who needs to calm down?

Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
Fajar Priyanto
2005-08-09 00:49:22 UTC
Permalink
Post by John Simpson
for the benefit of "TekSaPort" and anybody else who's interested,
check out http://qmail.jms1.net/ ... about 3/4 of the way down the
page (search for "vqadmin") you will find a patch which fixes the
problem.
i know it worked on my own server two years ago, but i found that i
prefer using the command line tools over vqadmin anyway, so i no
longer use it... but if anybody finds any problems with it, please
let me know.
It's a real honor to have you here John. And I'm grateful to be able to use
your qmail patches.
--
Fajar Priyanto | Reg'd Linux User #327841 | http://linux2.arinet.org
07:45:23 up 47 min, Mandrakelinux release 10.2 (Limited Edition 2005) for i586
public key: https://www.arinet.org/fajar-pub.key
Charles M. Gerungan
2006-03-31 15:43:56 UTC
Permalink
Post by John Simpson
for the benefit of "TekSaPort" and anybody else who's interested,
check out http://qmail.jms1.net/ ... about 3/4 of the way down the
page (search for "vqadmin") you will find a patch which fixes the
problem.
Thanks for the patch. I was one of those people that asked about this
many a moon ago.
--
Regards, Charles.
Loading...