Pledge man.cgi(8).

[mandoc.git] / cgi.c

diff --git a/cgi.c b/cgi.c
index 3303d00100b9fb715b8dbcdf527a9e27bb5c2724..af56da2701e90c3f6fa34a50d527f2df1a45d6c8 100644 (file)
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*     $Id: cgi.c,v 1.147 2017/02/08 13:34:27 schwarze Exp $ */
+/*     $Id: cgi.c,v 1.148 2017/02/22 16:20:01 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze <schwarze@usta.de>
@@ -978,6 +978,22 @@ main(void)
        const char      *querystring;
        int              i;
 
+#if HAVE_PLEDGE
+       /*
+        * The "rpath" pledge could be revoked after mparse_readfd()
+        * if the file desciptor to "/footer.html" would be opened
+        * up front, but it's probably not worth the complication
+        * of the code it would cause: it would require scattering
+        * pledge() calls in multiple low-level resp_*() functions.
+        */
+
+       if (pledge("stdio rpath", NULL) == -1) {
+               warn("pledge");
+               pg_error_internal();
+               return EXIT_FAILURE;
+       }
+#endif
+
        /* Poor man's ReDoS mitigation. */
 
        itimer.it_value.tv_sec = 2;