From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local])
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id a639b62d
	for <source@mdocml.bsd.lv>;
	Tue, 18 Apr 2017 20:00:33 -0500 (EST)
Date: Tue, 18 Apr 2017 20:00:33 -0500 (EST)
Message-Id: <5884899940732866185.enqueue@fantadrom.bsd.lv>
X-Mailinglist: mdocml-source
Reply-To: source@mdocml.bsd.lv
MIME-Version: 1.0
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: More thoroughly reject direct access to unintended files, such 
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
More thoroughly reject direct access to unintended files, such that
URIs like http://man.openbsd.org/OpenBSD-current/mandoc.db and
http://man.openbsd.org/OpenBSD-current/man1/ do not cause display
of garbage.

Modified Files:
--------------
    mdocml:
        cgi.c

Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /home/cvs/mdocml/mdocml/cgi.c,v
retrieving revision 1.153
retrieving revision 1.154
diff -Lcgi.c -Lcgi.c -u -p -r1.153 -r1.154
--- cgi.c
+++ cgi.c
@@ -1073,7 +1073,8 @@ main(void)
 
 	if (*path != '\0') {
 		parse_path_info(&req, path);
-		if (req.q.manpath == NULL || access(path, F_OK) == -1)
+		if (req.q.manpath == NULL || req.q.sec == NULL ||
+		    *req.q.query == '\0' || access(path, F_OK) == -1)
 			path = "";
 	} else if ((querystring = getenv("QUERY_STRING")) != NULL)
 		parse_query_string(&req, querystring);
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv