More thoroughly reject direct access to unintended files, such that

URIs like http://man.openbsd.org/OpenBSD-current/mandoc.db and http://man.openbsd.org/OpenBSD-current/man1/ do not cause display of garbage.
author: Ingo Schwarze <schwarze@openbsd.org> 2017-04-19 01:00:03 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2017-04-19 01:00:03 +0000
commit: af17862b1d7e4ad39b12a7e6df025e553d1c1dbe (patch)
tree: 456c462ea4caf18dad26341e2e6345c41d049026 /cgi.c
parent: 50c21bf04a5555959f2d160928ffd6136da05d7a (diff)
download: mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.tar.gz
mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.tar.zst
mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/cgi.c b/cgi.c
index da638dcf..eeccd4ea 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.153 2017/03/18 16:48:24 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.154 2017/04/19 01:00:03 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014, 2015, 2016, 2017 Ingo Schwarze <schwarze@usta.de>
@@ -1073,7 +1073,8 @@ main(void)
 
 	if (*path != '\0') {
 		parse_path_info(&req, path);
-		if (req.q.manpath == NULL || access(path, F_OK) == -1)
+		if (req.q.manpath == NULL || req.q.sec == NULL ||
+		    *req.q.query == '\0' || access(path, F_OK) == -1)
 			path = "";
 	} else if ((querystring = getenv("QUERY_STRING")) != NULL)
 		parse_query_string(&req, querystring);
author	Ingo Schwarze <schwarze@openbsd.org>	2017-04-19 01:00:03 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2017-04-19 01:00:03 +0000
commit	af17862b1d7e4ad39b12a7e6df025e553d1c1dbe (patch)
tree	456c462ea4caf18dad26341e2e6345c41d049026 /cgi.c
parent	50c21bf04a5555959f2d160928ffd6136da05d7a (diff)
download	mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.tar.gz mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.tar.zst mandoc-af17862b1d7e4ad39b12a7e6df025e553d1c1dbe.zip