| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
After decoding numeric (\N) and one-character (\<, \> etc.)
character escape sequences, do not forget to HTML-encode the
resulting ASCII character. Malicious manuals were able to smuggle
XSS content by roff-escaping the HTML-special characters they need.
That's a classic bug type in many web applications, actually... :-(
Found myself while auditing the HTML formatter for safe output handling.
|
| |
|
|
|
|
|
|
|
|
| |
The function print_encode() is used both for plain text
and for quoted attribute values.
Escape the '"' character such that malicious manuals cannot pull off
XSS attacks using malformed .Lk, .Mt, .%U, and .UR macros (and maybe
others) to trigger the latter case.
In the former case, escaping does no harm.
Issue found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
|
| |
|
|
|
|
|
|
| |
Restrict the character set of strings passed into html_alloc(),
in particular architecture names that come from the QUERY_STRING,
but also SCRIPT_NAME and manpath.conf content for additional safety,
and bail out safely on violations.
Issue reported by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
|
| |
|
|
| |
preserve manpath and arch in .Xr links
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2616) requires the Location: response-header field to be an absolute
URI (14.30), and only the most recent proposed standard (RFC 7231),
which is barely a month old, allows a relative Location: (7.1.2).
While most modern browsers appear to support relative Location:
headers, some may not, and it's maybe a bit early to rely on relative
Location: headers.
I'm not going back to the HTTP_HOST or SERVER_NAME CGI variables,
though. While some CGI programs certainly require those, in which
case both the CGI programmer and the web server admin have to be
very careful to keep the system secure and reliable, man.cgi(8)
does not really need them. We always know at compile time which
domain we are running for, and for man.cgi(8), security and reliability
are definitely much more important than flexibility. So make HTTP_HOST
a compile-time definition for now.
|
| |
|
|
|
|
|
|
|
|
|
| |
Validate the manpath up front and report a Bad Request if it is not
listed in manpath.conf, such that clients can't probe which directories
exist on the server. In case of configuration errors, consistently
report Internal Server Error without disclosing any further information.
Partially based on a patch from Sebastien Marie <semarie-openbsd at
latrappe dot fr>, but avoiding a couple of issues with that patch
and approaching the issue in a somewhat more rigorous way.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".
While here, correct the condition discarding an initial "./".
Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
|
| |
|
|
|
|
|
|
| |
just make the HTTP redirect Location: relative.
Less user input is good, it reduces the attack surface.
Besides, this removes one global variable and 4 lines of code.
Patch from Sebastien Marie <semarie-openbsd at latrappe dot fr>.
|
| |
|
|
|
|
|
|
|
| |
log the problem, hand the pg_error_internal() error page to the client,
and exit(3) in a controlled way instead of stumbling on and segfaulting
later.
Patch from Sebastien Marie <semarie-openbsd at latrappe dot fr>,
messages tweaked by me.
|
| |
|
|
|
| |
unfortunate, more than 400 links needing this are scattered all around
the www.openbsd.org website, and CVSweb needs this as well.
|
| |
|
|
|
|
| |
functions that call resp_begin_html() names starting with "pg_"
and those called after resp_begin_html() names with "resp_".
No functional change, purely renaming functions.
|
| | |
|
| |
|
|
|
|
| |
Even when there are multiple pages with the same name in different
sections, show one of them, using the same priorities as in the
default man.conf(5) file.
|
| |
|
|
|
|
|
| |
You can use .Fa with just a type, without a name,
but when you give both, which is the usual case,
they need to go into one single .Fa argument.
Observed by bentley@; ok jmc@ bentley@.
|
| |
|
|
|
|
|
|
| |
as manpath.conf, such that we do not need to mix our own documentation
into the documentation we are serving, which may not even be possible
if the latter is updated automatically.
Based on an idea by beck@.
|
| | |
|
| |
|
|
| |
in particular introduce a section dropdown and an architecture dropdown.
|
| |
|
|
| |
in particular introduce a section dropdown and an architecture dropdown.
|
| |
|
|
|
| |
configuration facilities, just two paths and two HTML strings.
Show the title on all pages, not just the index page.
|
| |
|
|
|
|
| |
global lookup table, two functions, two function arguments, one
struct member, one local variable, and the "search/" and "show/"
part of the URIs, all without losing functionality.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Distinguish between man(1) and apropos(1) mode by adding back the classical
QUERY_STRING variable "apropos=". Change the default back to "apropos=0".
Control it by adding a HTML <SELECT> element for it.
Rename the "expr=" QUERY_STRING variable back to its classical name "query=",
i don't see how the new name is better than the classical one.
While here, drop the concept of a "legacy mode". Simply continue to
support the features, and use what we consider best.
|
| |
|
|
|
| |
While here, also provide an internal mode (MANSEARCH_MAN) to match
complete names, to be used by man.cgi(8).
|
| | |
|
| |
|
|
|
| |
make http decode linear time.
also remove a redundant null check.
|
| |
|
|
| |
http headers must end lines with CRLF.
|
| | |
|
| |
|
|
| |
While here, s/satisfy/match/ when talking about queries.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Almost everything in the old man.cgi(7) was outdated in one way
or another - catman, catman.conf, CACHE_DIR, /cache, manroots,
replacing '/' with spaces, /tmp...
Instead, document the HTML and URI interfaces, the output and the setup,
and complete the listings of ENVIRONMENT variables and FILES.
Using section 8 instead of section 7 because that's the usual place
for CGI programs, see for example bgplg(8) and slowcgi(8).
|
| | |
|
| |
|
|
|
|
|
| |
* Consistent naming and use of resp_* functions.
* Split resp_noresult() out of resp_search() and reuse it.
* Log information about internal errors.
* And some minor fixes.
|
| |
|
|
|
|
|
|
|
|
| |
CGI variable: s/CACHE_DIR/MAN_DIR/ because it's static, not a cache
default MAN_DIR: /cache/man.cgi/ -> /man/ see above
global variable: s/cache/mandir/ see above
global variable: s/css/cssdir/ for consistency with mandir
global variable: s/host/httphost/ for consistency with HTTP_HOST
global variable: s/progname/scriptname/ for consistency with SCRIPT_NAME
struct query: member s/manroot/manpath/ for consistency with QUERY_STRING
|
| |
|
|
| |
and improve some whitespace and comments
|
| | |
|
| |
|
|
| |
and it is occasionally useful to be able to pass literal strings
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Let manpath.conf be a plain text list of the directories to use.
As a bonus, this makes the order configurable.
Get rid of <dirent.h>, opendir(3), readdir(3), stat(2).
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
* Simplify pathgen(), just use the subdirs of the cache dir.
* Simplify URI paths, just use show/<manpath>/<filename>.
* Drop struct paths, just use plain strings.
* Garbage collect unused headers.
|
| |
|
|
| |
Hierarchical naming and mention macro names in messages.
|
| |
|
|
|
|
| |
removing one function argument, one function definition,
three function invocations and two pointless assert()s.
No functional change.
|
| |
|
|
| |
and downgrade the related message from ERROR to WARNING
|
| | |
|
| | |
|
| |
|
|
|
| |
* Mention invalid escape sequences and string names, and fallbacks.
* Hierarchical naming.
|
| |
|
|
| |
do not throw away the rest of the string to be rendered.
|
| |
|
|
|
|
| |
* For \* and \n, discard the incomplete arg, expand to empty string.
* For \B, discard the incomplete arg, expand to the digit 0.
* For \w, use the incomplete arg (behaviour unchanged).
|
| |
|
|
|
|
|
| |
* Repair detection of invalid delimiters.
* Discard the invalid delimiter together with the invalid sequence.
Note to self: In general, strchr("\0...", c) is a thoroughly bad idea.
|
| |
|
|
|
|
|
|
| |
* Fix .Sm with invalid arg: move arg out and toggle mode.
* Promote "unknown standard" from WARNING to ERROR, it loses information.
* Delete MANDOCERR_BADWIDTH, it would only indicate a mandoc(1) bug.
* Do not report MANDOCERR_BL_LATETYPE when there is no type at all.
* Mention macro names, arguments and fallbacks.
|
Ingo Schwarze