discuss@mandoc.bsd.lv
 help / color / mirror / Atom feed
* man.cgi and gzip manuals: bug or feature
@ 2020-02-16 11:59 Stephen Gregoratto
  2020-02-16 12:43 ` Jan Stary
  2020-02-16 15:30 ` Ingo Schwarze
  0 siblings, 2 replies; 4+ messages in thread
From: Stephen Gregoratto @ 2020-02-16 11:59 UTC (permalink / raw)
  To: discuss

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=unknown-8bit, Size: 436 bytes --]

man.cgi doesn't handle serving gzipped manuals, with it dumping the raw
bytes onto the user's screen. You can view a simple test I made to
illustrate[1]. Not sure if this is a bug or some way of reducing attack
service ¯\_(ツ)_/¯.

[1] https://man.sgregoratto.me/gzip-test/man1/sh.1
    https://man.sgregoratto.me/gzip-test/man1/sh-plain.1
-- 
Stephen Gregoratto
--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: man.cgi and gzip manuals: bug or feature
  2020-02-16 11:59 man.cgi and gzip manuals: bug or feature Stephen Gregoratto
@ 2020-02-16 12:43 ` Jan Stary
  2020-02-16 12:55   ` Stephen Gregoratto
  2020-02-16 15:30 ` Ingo Schwarze
  1 sibling, 1 reply; 4+ messages in thread
From: Jan Stary @ 2020-02-16 12:43 UTC (permalink / raw)
  To: discuss

On Feb 16 22:59:47, dev@sgregoratto.me wrote:
> man.cgi doesn't handle serving gzipped manuals, with it dumping the raw
> bytes onto the user's screen. You can view a simple test I made to
> illustrate[1]. Not sure if this is a bug or some way of reducing attack
> service ¯\_(ツ)_/¯.
> 
> [1] https://man.sgregoratto.me/gzip-test/man1/sh.1

What happens when you name the file appropriately, such as ls.1.gz ?

--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: man.cgi and gzip manuals: bug or feature
  2020-02-16 12:43 ` Jan Stary
@ 2020-02-16 12:55   ` Stephen Gregoratto
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Gregoratto @ 2020-02-16 12:55 UTC (permalink / raw)
  To: discuss

On 2020-02-16 13:43, Jan Stary wrote:
> What happens when you name the file appropriately, such as ls.1.gz?

Same thing, raw bytes galore
-- 
Stephen Gregoratto
--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: man.cgi and gzip manuals: bug or feature
  2020-02-16 11:59 man.cgi and gzip manuals: bug or feature Stephen Gregoratto
  2020-02-16 12:43 ` Jan Stary
@ 2020-02-16 15:30 ` Ingo Schwarze
  1 sibling, 0 replies; 4+ messages in thread
From: Ingo Schwarze @ 2020-02-16 15:30 UTC (permalink / raw)
  To: Stephen Gregoratto; +Cc: discuss

Hi Stephen,

Stephen Gregoratto wrote on Sun, Feb 16, 2020 at 10:59:47PM +1100:

> man.cgi doesn't handle serving gzipped manuals,

Zipping manual pages is utterly stupid nowadays.  Manual pages are
small in the first place, so there is no point in zipping them.

The only reason why main.c supports zipped manuals is because
some operating systems anachronistically insist on it.  I'd
certainly like to kill the pointless feature, the implementation
is quite ugly, so the code could be nicely simplified.

I'm not going to add similar code to cgi.c.  When you run a server,
just unpack the stuff you are going to serve and be done with it.

Yours,
  Ingo
--
 To unsubscribe send an email to discuss+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-02-16 15:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-16 11:59 man.cgi and gzip manuals: bug or feature Stephen Gregoratto
2020-02-16 12:43 ` Jan Stary
2020-02-16 12:55   ` Stephen Gregoratto
2020-02-16 15:30 ` Ingo Schwarze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).