From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from krisdoz.my.domain (schwarze@localhost [127.0.0.1]) by krisdoz.my.domain (8.14.5/8.14.5) with ESMTP id s6IJ3dFF002983 for ; Fri, 18 Jul 2014 15:03:39 -0400 (EDT) Received: (from schwarze@localhost) by krisdoz.my.domain (8.14.5/8.14.3/Submit) id s6IJ3dpM004566; Fri, 18 Jul 2014 15:03:39 -0400 (EDT) Date: Fri, 18 Jul 2014 15:03:39 -0400 (EDT) Message-Id: <201407181903.s6IJ3dpM004566@krisdoz.my.domain> X-Mailinglist: mdocml-source Reply-To: source@mdocml.bsd.lv MIME-Version: 1.0 From: schwarze@mdocml.bsd.lv To: source@mdocml.bsd.lv Subject: mdocml: Do not use the HTTP_HOST CGI variable, just make the HTTP X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Log Message: ----------- Do not use the HTTP_HOST CGI variable, just make the HTTP redirect Location: relative. Less user input is good, it reduces the attack surface. Besides, this removes one global variable and 4 lines of code. Patch from Sebastien Marie . Modified Files: -------------- mdocml: cgi.c man.cgi.8 Revision Data ------------- Index: man.cgi.8 =================================================================== RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/man.cgi.8,v retrieving revision 1.6 retrieving revision 1.7 diff -Lman.cgi.8 -Lman.cgi.8 -u -p -r1.6 -r1.7 --- man.cgi.8 +++ man.cgi.8 @@ -266,11 +266,6 @@ is supported as an alias for The web server may pass the following CGI variables to .Nm : .Bl -tag -width Ds -.It Ev HTTP_HOST -The FQDN of the (possibly virtual) host the HTTP server is running on. -This is used for -.Ic Location: -headers in HTTP 303 responses. .It Ev PATH_INFO The final part of the URI path passed from the client to the server, starting after the Index: cgi.c =================================================================== RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/cgi.c,v retrieving revision 1.74 retrieving revision 1.75 diff -Lcgi.c -Lcgi.c -u -p -r1.74 -r1.75 --- cgi.c +++ cgi.c @@ -79,7 +79,6 @@ static void resp_searchform(const stru static void resp_show(const struct req *, const char *); static const char *scriptname; /* CGI script name */ -static const char *httphost; /* hostname used in the URIs */ static const int sec_prios[] = {1, 4, 5, 8, 6, 3, 7, 2, 9}; static const char *const sec_numbers[] = { @@ -530,8 +529,8 @@ pg_searchres(const struct req *req, stru * without any delay. */ printf("Status: 303 See Other\r\n"); - printf("Location: http://%s%s/%s/%s?", - httphost, scriptname, req->q.manpath, r[0].file); + printf("Location: %s/%s/%s?", + scriptname, req->q.manpath, r[0].file); http_printquery(req); printf("\r\n" "Content-Type: text/html; charset=utf-8\r\n" @@ -906,9 +905,6 @@ main(void) if (NULL == (scriptname = getenv("SCRIPT_NAME"))) scriptname = ""; - - if (NULL == (httphost = getenv("HTTP_HOST"))) - httphost = "localhost"; /* * First we change directory into the MAN_DIR so that -- To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv