137efea9b2a2dc6ade4965e5ab76309ec642635e
hiram
Tue Oct 25 21:02:06 2022 -0700
now with Reply-to Return-path and a bounce email and strict protection against usage only by assemblyRequest.html system refs #30184
diff --git src/hg/gar/gar.cgi.pl src/hg/gar/gar.cgi.pl
index bd4f4a7..9bd2769 100755
--- src/hg/gar/gar.cgi.pl
+++ src/hg/gar/gar.cgi.pl
@@ -1,101 +1,108 @@
#!/usr/bin/perl
##
## gar -- GenArk Request - receive requests for GenArk assemblies
##
use URI::Escape;
# use strict;
# use warnings;
my $httpRefer = "noReference";
my $referDomain = "noDomain";
+my $legitimateFrom = 'hclawson@ucsc.edu';
+my $httpReferMustBe = "assemblyRequest.html";
+my $domainMustBe = "ucsc.edu";
+my $sendTo = 'hclawson@ucsc.edu';
+my $Cc = 'clayfischer@ucsc.edu';
+my $bounceAddr = 'hiram@soe.ucsc.edu';
if (defined($ENV{'HTTP_REFERER'})) {
my @a = split('/', $ENV{'HTTP_REFERER'});
$httpRefer = $a[-1]; # should be "assemblyRequest.html"
my @b = split('\.', $a[-2]);
$referDomain = "$b[-2].$b[-1]"; # should be "ucsc.edu"
}
print "Content-type: text/html\n\n";
print "GenArk Request assembly build\n";
print "\n";
# QUERY_STRING name=some%20name&email=some@email.com&asmId=GCF_000951035.1_Cang.pa_1.0
my %incoming = (
"name" => "noName",
"email" => "noEmail",
"asmId" => "noAsmId",
"betterName" => "noBetterName",
"comment" => "noComment",
);
my $validIncoming = 0;
my $extraneousArgs = 0;
if (defined($ENV{"QUERY_STRING"})) {
my $qString = $ENV{"QUERY_STRING"};
my @idVal = split("&", $qString);
foreach $id (@idVal) {
my ($tag, $value) = split("=", $id, 2);
# only accept known inputs, the five defined above for %incoming defaults
if (defined($incoming{$tag}) && defined($value)) {
$incoming{$tag} = uri_unescape( $value );
++$validIncoming;
}
++$extraneousArgs if (!defined($incoming{$tag}));
}
}
-if ( ($validIncoming != 5) || ($extraneousArgs > 0) ) {
+if ( ($validIncoming != 5) || ($extraneousArgs > 0) || ($referDomain ne $domainMustBe) || ($httpRefer ne $httpReferMustBe) ) {
# not a legitimate request from our own business, do nothing.
print "\n";
exit 0;
}
printf "\n";
printf "- name: '%s'
\n", $incoming{"name"};
printf "- email: '%s'
\n", $incoming{"email"};
printf "- asmId: '%s'
\n", $incoming{"asmId"};
printf "- betterName: '%s'
\n", $incoming{"betterName"};
printf "- comment: '%s'
\n", $incoming{"comment"};
printf "
\n";
my $DS=`date "+%F %T"`;
chomp $DS;
-open (FH, "|/usr/sbin/sendmail -t -oi");
-printf FH "To: hclawson\@ucsc.edu,clayfischer\@ucsc.edu
+open (FH, "|/usr/sbin/sendmail -f \"${bounceAddr}\" -t -oi");
+printf FH "To: %s
From: %s
+Reply-to: %s
+Return-path: %s
+Cc: %s
Subject: gar request: %s
name: '%s'
email: '%s'
asmId: '%s'
betterName: '%s'
comment: '%s'
-httpRefer '%s'
-referDomain '%s'
-date: '$DS'
-", $incoming{"email"}, $incoming{"asmId"}, $incoming{"name"}, $incoming{"email"}, $incoming{"asmId"}, $incoming{"betterName"}, $incoming{"comment"}, $httpRefer, $referDomain;
+date: '%s'
+", $sendTo, $legitimateFrom, $incoming{"email"}, $legitimateFrom, $Cc, $incoming{"asmId"}, $incoming{"name"}, $incoming{"email"}, $incoming{"asmId"}, $incoming{"betterName"}, $incoming{"comment"}, ${DS};
close (FH);
print "