Question

I think that I was following the standard set of instructions, which resulted in mailnotify being placed in the CGI directory, along with view, et al.

(Or, possibly, with the CGI directory being pointed to twiki/pub. That's not what I did, but I think that's also a legit interpretation of the installation guide.)

Anyway... mailnotify is not a cgi script. It is not intended to run as a CGI script, according to MailNotifyWithoutCron and my looking at the code.

It is bad practice for mailnotify to be placed in a CGI directory.

It could potentially be a security hole (do you know that it is not?).

RECOMMENDATION: twiki/bin should be split into CGI and non-CGI bins. And there should probably be more non-CGI scripts added.

-- AndyGlew - 27 Jun 2003

Answer

I agree.

Incidently, I think also that this topic should not be in Support - it would be better named Codev.MailNotifyShouldNotBeInCgiPath !

-- MartinCleaver - 27 Jun 2003

Moved this from the Support web.

-- PeterThoeny - 30 Jun 2003

In fact, it would be great to move mailnotify in a dedicated directory and define an interface for mailnotify (like plugins have) so to let people enjoy PERL to do what the need ;-). I wanted to add some enhancements to mailnotify and first had a look at TWiki topics, then I see that we could do a lot... so , having a clean interface like TWiki plugins have would be a good starting point (minimum is list of methods we can use, etc...)

Is anybody working on mailnotify enhancement ? NewEmailNotificationSystem sounds good !

-- PatrickNomblot - 12 Sep 2003