From af17862b1d7e4ad39b12a7e6df025e553d1c1dbe Mon Sep 17 00:00:00 2001
From: Ingo Schwarze <schwarze@openbsd.org>
Date: Wed, 19 Apr 2017 01:00:03 +0000
Subject: [PATCH] More thoroughly reject direct access to unintended files,
 such that URIs like http://man.openbsd.org/OpenBSD-current/mandoc.db and
 http://man.openbsd.org/OpenBSD-current/man1/ do not cause display of garbage.

---
 cgi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cgi.c b/cgi.c
index da638dcf..eeccd4ea 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.153 2017/03/18 16:48:24 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.154 2017/04/19 01:00:03 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze <schwarze@usta.de>
@@ -1073,7 +1073,8 @@ main(void)
 
 	if (*path != '\0') {
 		parse_path_info(&req, path);
-		if (req.q.manpath == NULL || access(path, F_OK) == -1)
+		if (req.q.manpath == NULL || req.q.sec == NULL ||
+		    *req.q.query == '\0' || access(path, F_OK) == -1)
 			path = "";
 	} else if ((querystring = getenv("QUERY_STRING")) != NULL)
 		parse_query_string(&req, querystring);
-- 
2.47.1