X-Git-Url: http://git.i-scream.org/?a=blobdiff_plain;f=cgi-bin%2Fdocs.cgi;h=402c9e505ba29cb49bd023f9ed76ce1ed741b7ca;hb=044ce3d999326b8748cd8f2821ed593298bb07ba;hp=ea7fdf8b3e1c7883318d764bfc8e9a833ef407c0;hpb=b85ad0f3e5db5575c19957c4262383fa96421adc;p=www.i-scream.org.git diff --git a/cgi-bin/docs.cgi b/cgi-bin/docs.cgi index ea7fdf8..402c9e5 100755 --- a/cgi-bin/docs.cgi +++ b/cgi-bin/docs.cgi @@ -1,94 +1,126 @@ #!/usr/bin/perl -w -#------------------------------------------------------------ -# docs.cgi -# -# Web-based text file viewer. -# Copyright Paul Mutton, 2000. -#------------------------------------------------------------ - use strict; use CGI; $| = 1; # Settings -my ($left) = "../left.inc" ; -my ($title) = "../title.inc"; -my ($bottom) = "../bottom.inc"; - +my ($menu) = "../nwww/menu.inc" ; +my ($header) = "../nwww/header.inc"; +my ($footer) = "../nwww/footer.inc"; +my ($style) = "../nwww/style.inc"; my ($query) = new CGI; -my ($doci) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); -my ($doc) = "../documentation/$doci"; -print "content-type: text/html\n\n"; +# Note filenames may only have one dot in them, in the ".txt". +# This prevents malicious users using "../" to view files. +my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); -print <<"END"; - +print "Content-type: text/html\n\n"; + +unless (defined $doc) { + print "The link to this page was broken - it must specify a .txt file."; + exit; +} + +# Prevent hackers from supplying a malformed document string. +# I.e. only allow normal characters, slashes and dots. +unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { + print "Malformed request."; + exit; +} +$doc = "../htdocs/documentation/".$doc; + +my($docname) = $doc =~ /\/([^\/]+)$/; - +print <<"END"; +
-
+
END
-&print_file($left);
+&print_html($header);
print <<"END";
+
+ i-scream documentation viewer- |
-
+$docnameEND -&print_file($title); - -print "\n"; &print_file($doc); -print "\n"; +print ""; -&print_file($bottom); +&print_html($footer); -print <<"END"; +print ""; - |
-
\n"; + # Use $_ implicitly throughout. + while ("; +} +else { + print "Failed to open $docname."; +} } +# Print a file without escaping HTML: - +sub print_html ($) { +my ($filename) = @_; +print `cat $filename 2>&1`; +}) { + # Must do the next line first! + s/&/&/g; + s/</g; + s/>/>/g; + s/"/"/g; + s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/$1<\/a>/igox; + print; } + print "