X-Git-Url: http://git.i-scream.org/?a=blobdiff_plain;ds=sidebyside;f=cgi-bin%2Fdocs.cgi;h=bdcd3f9721a02bd3b757ddde93c58248f82bf44a;hb=4399a59c122c1a3cb239361f6d437732e16653e2;hp=cb6c3d2bbe8dbb9fa83e81024156f0a96e7b5586;hpb=5e4357f28b692892ea28ac034c8166727ad76f06;p=www.i-scream.org.git diff --git a/cgi-bin/docs.cgi b/cgi-bin/docs.cgi index cb6c3d2..bdcd3f9 100755 --- a/cgi-bin/docs.cgi +++ b/cgi-bin/docs.cgi @@ -1,75 +1,97 @@ #!/usr/bin/perl -w -#------------------------------------------------------------ -# docs.cgi -# -# Web-based text file viewer. -# Copyright Paul Mutton, 2000. -#------------------------------------------------------------ - use strict; use CGI; $| = 1; # Settings -my ($left) = "../left.inc" ; -my ($title) = "../title.inc"; -my ($bottom) = "../bottom.inc"; +my ($incdir) = "../nwww"; +# Include files +my ($doctype) = "$incdir/doctype.inc"; +my ($style) = "$incdir/style.inc"; +my ($header) = "$incdir/header.inc"; +my ($footer) = "$incdir/footer.inc"; +my ($menu) = "$incdir/menu.inc" ; my ($query) = new CGI; -my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); -$doc = "../documentation/".$doc; +# Note filenames may only have one dot in them, in the ".txt". +# This prevents malicious users using "../" to view files. +my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); + +# This should be application/xhtml+xml print "Content-type: text/html\n\n"; -print <<"END"; - +unless (defined $doc) { + print "The link to this page was broken - it must specify a .txt file."; + exit; +} - +# Prevent hackers from supplying a malformed document string. +# I.e. only allow normal characters, slashes and dots. +unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { + print "Malformed request."; + exit; +} +$doc = "../htdocs/documentation/".$doc; - +my($docname) = $doc =~ /\/([^\/]+)$/; -
-
+
+
+
+
END
-&print_html($left);
+&print_html($header);
print <<"END";
- |
-
+
+ + i-scream documentation viewer +++ $docname +END -&print_html($title); &print_file($doc); -&print_html($bottom); print <<"END"; - |
-
\n"; +my ($urls) = '(' . join ('|', qw{ + http + telnet + gopher + file + wais + ftp + } ) + . ')'; + +my ($ltrs) = '\w'; +my ($gunk) = '/#~:.?+=&%@!\-'; +my ($punc) = '.:?\-'; +my ($any) = "${ltrs}${gunk}${punc}"; +my ($filename) = @_; +if(open(FILE, $filename)) { + print ""; +} +else { + print "Failed to open $docname."; +} } # Print a file without escaping HTML: - sub print_html ($) { - my ($filename) = @_; - print `cat $filename`; +my ($filename) = @_; +print `cat $filename 2>&1`; }\n"; # Use $_ implicitly throughout. while ("; + print "\n) { # Must do the next line first! @@ -104,11 +126,15 @@ sub print_file ($) { s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/$1<\/a>/igox; print; } - print "