]> git.cameronkatri.com Git - mandoc.git/commit
git.ckatri.com / mandoc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6d9b8bc) | patch
Security fix:
authorIngo Schwarze <schwarze@openbsd.org>
Sat, 19 Jul 2014 11:35:12 +0000 (11:35 +0000)
committerIngo Schwarze <schwarze@openbsd.org>
Sat, 19 Jul 2014 11:35:12 +0000 (11:35 +0000)
commit52307465eda0160606943b97a728c54484b26fd7
treeddc206065fec999715195d40c22fe7c288de3e94tree | snapshot
parent6d9b8bc9ac9935024b9c1b5d06d4f294d7fce3d1commit | diff
Security fix:
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".

While here, correct the condition discarding an initial "./".

Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
cgi.c diff | blob | history
A git conversion mirror of mandoc.bsd.lv