From a9431200af8a50f84d1051041b949bb7266915a1 Mon Sep 17 00:00:00 2001
From: Neale Pickett <neale@woozle.org>
Date: Tue, 7 Sep 2010 21:31:23 -0600
Subject: [PATCH] CGI register was a bad idea

There's just no good way to tell what team is legit and
what team is an attempt at an XSS or whatever tomfoolery
contestants might be up to.  CGI might work for high school
kids, but for that a shell script would probably work.
---
 src/Makefile       |  3 +-
 src/register       | 13 +++++++
 src/register.cgi.c | 86 ----------------------------------------------
 3 files changed, 14 insertions(+), 88 deletions(-)
 create mode 100755 src/register
 delete mode 100644 src/register.cgi.c

diff --git a/src/Makefile b/src/Makefile
index 6f7c750..81105b6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,10 +1,9 @@
-TARGETS = in.tokend register.cgi claim.cgi pointscli
+TARGETS = in.tokend claim.cgi pointscli
 
 all: $(TARGETS)
 
 in.tokend: in.tokend.o xxtea.o
 
-register.cgi: register.cgi.o cgi.o
 claim.cgi: claim.cgi.o cgi.o common.o
 pointscli: common.o pointscli.o
 
diff --git a/src/register b/src/register
new file mode 100755
index 0000000..a534b0c
--- /dev/null
+++ b/src/register
@@ -0,0 +1,13 @@
+#! /bin/sh -e
+
+if [ $# -ne 1 ]; then
+    echo "Usage: $0 TEAM" 1>&2
+    exit 64
+fi
+
+# Don't overwrite files
+set -C
+
+hash=$(echo "$1" | md5sum | cut -b 1-8)
+echo "$1" > /var/lib/ctf/teams/$hash
+echo "Registered with hash $hash"
diff --git a/src/register.cgi.c b/src/register.cgi.c
deleted file mode 100644
index 1831370..0000000
--- a/src/register.cgi.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <ctype.h>
-#include "cgi.h"
-
-char *BASE_PATH = "/var/lib/ctf/teams";
-
-
-unsigned int
-djbhash(char const *buf, size_t buflen)
-{
-  unsigned int h = 5381;
-
-  while (buflen--) {
-    h = ((h << 5) + h) ^ *(buf++);
-  }
-  return h;
-}
-
-int
-main(int argc, char *argv[])
-{
-  char   team[80];
-  size_t teamlen;
-  char   hash[9];
-
-  if (-1 == cgi_init()) {
-    return 0;
-  }
-
-  /* Read in team name, the only thing we care about */
-  while (1) {
-    size_t len;
-    char   key[20];
-
-    len = cgi_item(key, sizeof(key));
-    if (0 == len) break;
-    if ((1 == len) && ('t' == key[0])) {
-      teamlen = cgi_item(team, sizeof(team));
-    }
-  }
-
-  /* Compute the hash */
-  sprintf(hash, "%08x", djbhash(team, teamlen));
-
-  /* Write team name into file */
-  {
-    char filename[100];
-    int  fd;
-    int  ret;
-
-    ret = snprintf(filename, sizeof(filename),
-                   "%s/%s",
-                   BASE_PATH, hash);
-    if (sizeof(filename) == ret) {
-      cgi_error("The full path to the team hash file is too long.");
-    }
-    fd = open(filename, 0444, O_WRONLY | O_CREAT | O_EXCL);
-    if (-1 == fd) {
-      cgi_page("Bad team name",
-               ("<p>Either that team name is already in use, or you "
-                "found a hash collision (way to go). "
-                "In any case, you're going to "
-                "have to pick something else.</p>"
-                "<p>If you're just trying to find your team hash again,"
-                "it's <samp>%s</samp>.</p>"),
-               hash);
-    }
-    write(fd, team, teamlen);
-    close(fd);
-  }
-
-  /* Let them know what their hash is. */
-  cgi_page("Team registered",
-            ("<p>Team hash: <samp>%s</samp></p>"
-             "<p><b>Save your team hash somewhere!</b>.  You will need it "
-             "to claim points.</b></p>"),
-            hash);
-
-  return 0;
-}