angestoepselt/homepage
5
0
Fork 0
mirror of https://codeberg.org/angestoepselt/homepage.git synced 2025-05-24 14:46:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Disable the form on the server

Browse source
This commit is contained in:
Yannik Rödel 2023-01-25 08:28:45 +01:00
parent 9346a2adc2
commit f1ed87cd8a
2 changed files with 14 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
cgi-bin/form.py
View file

@ -61,18 +61,24 @@ match os.environ.get("REQUEST_METHOD", "").upper():
case "GET":
# For GET requests, serve the form that the user requested. The CSRF
# token will be added here as well.
print("Status: 200")
print("Content-Type: text/html")
form_disabled = request_uri.startswith("/computer-beantragen/privat")
print(f"Status: {200 if not form_disabled else 503}")
print(f"Content-Type: text/html")
print(f"Set-Cookie: __Host-csrftoken={signed_csrf_token}; path=/; Secure; SameSite=Strict; HttpOnly")
print("")
with open(f"{SITE_DIRECTORY}/{request_uri.strip('/')}/index.html", "r") as template:
for line in template.readlines():
# This is a very rudimentary check to ensure that we actually
# place the token *inside* the form. It assumes that there is
# a) only one form on the site and
# b) the <form> tag doesn't end on the same line.
if re.match(r"<!--\s*form\s*-->", line, re.IGNORECASE) is not None:
if (
not form_disabled
# This is a very rudimentary check to ensure that we
# actually place the token *inside* the form. It requires
# adding a <!-- FORM --> comment somewhere in the form that
# will be replaced with the hidden fields and hCaptcha.
and re.match(r"<!--\s*form\s*-->", line, re.IGNORECASE) is not None
):
print(f'<input type="hidden" name="csrftoken" value="{csrf_token}" />')
print(f'<label class="form-input">')
@ -198,6 +204,7 @@ match request_uri:
ticket_details["Anzahl Drucker"] = get_form_value("printercount", 0, int)
case "/computer-beantragen/privat":
fail("503 Service Unavailable", "Form disabled")
form_name = "Computerantrag (privat)"
form_group = "csw-Anfragen"
ticket_details["Adresse"] = get_form_value("addressline")

4
sites/angestoepselt/httpd.conf
View file

@ -47,10 +47,6 @@ $HTTP["request-method"] =~ "GET|POST" {
)
}
$HTTP["url"] =~ "^/computer-beantragen/privat" {
}
$HTTP["url"] =~ "^/cgi-bin/" {
alias.url += ( "/cgi-bin" => "@cgibin@" )