* mdocml: More thoroughly reject direct access to unintended files, such
@ 2017-04-19 1:00 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2017-04-19 1:00 UTC (permalink / raw)
To: source
Log Message:
-----------
More thoroughly reject direct access to unintended files, such that
URIs like http://man.openbsd.org/OpenBSD-current/mandoc.db and
http://man.openbsd.org/OpenBSD-current/man1/ do not cause display
of garbage.
Modified Files:
--------------
mdocml:
cgi.c
Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/cgi.c,v
retrieving revision 1.153
retrieving revision 1.154
diff -Lcgi.c -Lcgi.c -u -p -r1.153 -r1.154
--- cgi.c
+++ cgi.c
@@ -1073,7 +1073,8 @@ main(void)
if (*path != '\0') {
parse_path_info(&req, path);
- if (req.q.manpath == NULL || access(path, F_OK) == -1)
+ if (req.q.manpath == NULL || req.q.sec == NULL ||
+ *req.q.query == '\0' || access(path, F_OK) == -1)
path = "";
} else if ((querystring = getenv("QUERY_STRING")) != NULL)
parse_query_string(&req, querystring);
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-04-19 1:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-19 1:00 mdocml: More thoroughly reject direct access to unintended files, such schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).