# HG changeset patch
# User Steve Kemp <steve@steve.org.uk>
# Date 1208196425 -3600
# Node ID e0ef0f218600d3b1e47414515abb960d4caecf1d
# Parent  1d4f3be0e000d8250476c954a84660a36858d535
  Updated CGI script a little

diff -r 1d4f3be0e000 -r e0ef0f218600 cgi-bin/comments.cgi
--- a/cgi-bin/comments.cgi	Mon Apr 14 19:04:14 2008 +0100
+++ b/cgi-bin/comments.cgi	Mon Apr 14 19:07:05 2008 +0100
@@ -35,7 +35,10 @@
 
 
 #
-#  The directory to store comments in
+#  The directory to store comments in.
+#
+# NOTE:  This should be writeable to the www-data user, and shouldn't
+#        be inside your web-root - or you open up a security hole.
 #
 # my $COMMENT = "/home/www/comments/";
 #
@@ -53,12 +56,12 @@
 #  Get the parameters from the request.
 #
 my $cgi  = new CGI();
-my $name = $cgi->param('name') || undef;
-my $mail = $cgi->param('mail') || undef;
-my $body = $cgi->param('body') || undef;
-my $id   = $cgi->param('id') || undef;
+my $name = $cgi->param('name')    || undef;
+my $mail = $cgi->param('mail')    || undef;
+my $body = $cgi->param('body')    || undef;
+my $id   = $cgi->param('id')      || undef;
 my $cap  = $cgi->param('captcha') || undef;
-my $ajax = $cgi->param("ajax") || 0;
+my $ajax = $cgi->param("ajax")    || 0;
 
 
 #
@@ -136,7 +139,7 @@
 #  Open the file.
 #
 my $file = $COMMENT . "/" . $id . "." . $timestr;
-$file =~ s/[ \t]//g;
+$file =~ s/[^a-z0-9]/_/gi;
 
 open( FILE, ">", $file );
 print FILE "Name: $name\n";