Disable the form on the server

2025-05-24 14:46:16 +00:00 · 2023-01-25 08:28:45 +01:00 · 2023-01-25 08:28:45 +01:00 · f1ed87cd8a
commit f1ed87cd8a
parent 9346a2adc2
2 changed files with 14 additions and 11 deletions
--- a/cgi-bin/form.py
+++ b/cgi-bin/form.py
@ -61,18 +61,24 @@ match os.environ.get("REQUEST_METHOD", "").upper():
 	case "GET":
 		# For GET requests, serve the form that the user requested. The CSRF
 		# token will be added here as well.
-		print("Status: 200")
-		print("Content-Type: text/html")
+
+		form_disabled = request_uri.startswith("/computer-beantragen/privat")
+
+		print(f"Status: {200 if not form_disabled else 503}")
+		print(f"Content-Type: text/html")
 		print(f"Set-Cookie: __Host-csrftoken={signed_csrf_token}; path=/; Secure; SameSite=Strict; HttpOnly")
 		print("")

 		with open(f"{SITE_DIRECTORY}/{request_uri.strip('/')}/index.html", "r") as template:
 			for line in template.readlines():
-				# This is a very rudimentary check to ensure that we actually
-				# place the token *inside* the form. It assumes that there is
-				# a) only one form on the site and
-				# b) the <form> tag doesn't end on the same line.
-				if re.match(r"<!--\s*form\s*-->", line, re.IGNORECASE) is not None:
+				if (
+					not form_disabled
+					# This is a very rudimentary check to ensure that we
+					# actually place the token *inside* the form. It requires
+					# adding a <!-- FORM --> comment somewhere in the form that
+					# will be replaced with the hidden fields and hCaptcha.
+					and re.match(r"<!--\s*form\s*-->", line, re.IGNORECASE) is not None
+				):
 					print(f'<input type="hidden" name="csrftoken" value="{csrf_token}" />')

 					print(f'<label class="form-input">')
@ -198,6 +204,7 @@ match request_uri:
 		ticket_details["Anzahl Drucker"] = get_form_value("printercount", 0, int)

 	case "/computer-beantragen/privat":
+		fail("503 Service Unavailable", "Form disabled")
 		form_name = "Computerantrag (privat)"
 		form_group = "csw-Anfragen"
 		ticket_details["Adresse"] = get_form_value("addressline")
--- a/sites/angestoepselt/httpd.conf
+++ b/sites/angestoepselt/httpd.conf
@ -47,10 +47,6 @@ $HTTP["request-method"] =~ "GET|POST" {
 	)
 }

-$HTTP["url"] =~ "^/computer-beantragen/privat" {
-
-}
-
 $HTTP["url"] =~ "^/cgi-bin/" {
 	alias.url += ( "/cgi-bin" => "@cgibin@" )