cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by

[schwarze@mandoc.bsd.lv]

Log Message:
-----------
Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia
in a more robust way: do very strict whitelist-based input validation on
the characters occurring in the QUERY_STRING, such that everything  
stored in the %input hash table is safe in the first place without
requiring any kind of escaping later.  When finding unexpected characters
in the QUERY_STRING, it is safest to simply error out fatal()ly.

Tags:
----
FreeBSD-cvsweb-2_0-branch

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.21
retrieving revision 3.119.2.22
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.21 -r3.119.2.22
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -314,10 +314,18 @@ if (defined($query) && $query ne '') {
 	foreach (split (/&/, $query)) {
 		y/+/ /;
 		s/%(..)/sprintf("%c", hex($1))/ge;    # unquote %-quoted
-		if (/(\S+)=(.*)/) {
-			$input{$1} = $2 if ($2 ne "");
+		my ($key, $value) = split /=/;
+		$key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+		    'Invalid character "%s" in query parameter "%s"',
+		    $1, $key);
+		if (defined $value) {
+			$value =~ /([^a-zA-Z_01-9.\/-])/ and fatal(
+			    '404 Not Found', 'Invalid character "%s"' .
+			    'in the value "%s" of the query parameter "%s"',
+			    $1, $value, $key);
+			$input{$key} = $value if $value ne '';
 		} else {
-			$input{$_}++;
+			$input{$key}++;
 		}
 	}
 }
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv