X-Git-Url: http://git.i-scream.org/?a=blobdiff_plain;f=cgi-bin%2Fdocs.cgi;h=ee22b7b9ed4c8f05aeda8a797f03484ec286a06c;hb=a8233ee6515c3f035580bd7711f9484dbb71fbf8;hp=ea7fdf8b3e1c7883318d764bfc8e9a833ef407c0;hpb=b85ad0f3e5db5575c19957c4262383fa96421adc;p=www.i-scream.org.git diff --git a/cgi-bin/docs.cgi b/cgi-bin/docs.cgi index ea7fdf8..ee22b7b 100755 --- a/cgi-bin/docs.cgi +++ b/cgi-bin/docs.cgi @@ -1,94 +1,149 @@ #!/usr/bin/perl -w -#------------------------------------------------------------ -# docs.cgi -# -# Web-based text file viewer. -# Copyright Paul Mutton, 2000. -#------------------------------------------------------------ - use strict; use CGI; $| = 1; # Settings -my ($left) = "../left.inc" ; -my ($title) = "../title.inc"; -my ($bottom) = "../bottom.inc"; +my ($incdir) = "../nwww"; +# Include files +my ($doctype) = "$incdir/doctype.inc"; +my ($style) = "$incdir/style.inc"; +my ($header) = "$incdir/header.inc"; +my ($footer) = "$incdir/footer.inc"; +my ($menu) = "$incdir/menu.inc" ; my ($query) = new CGI; -my ($doci) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); -my ($doc) = "../documentation/$doci"; -print "content-type: text/html\n\n"; +# Note filenames may only have one dot in them, in the ".txt". +# This prevents malicious users using "../" to view files. +my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); -print <<"END"; - +# This should be application/xhtml+xml +print "Content-type: text/html\n\n"; - +unless (defined $doc) { + print "The link to this page was broken - it must specify a .txt file."; + exit; +} + +# Prevent hackers from supplying a malformed document string. +# I.e. only allow normal characters, slashes and dots. +unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { + print "Malformed request."; + exit; +} +$doc = "../htdocs/documentation/".$doc; - +my($docname) = $doc =~ /\/([^\/]+)$/; - - The i-scream Project Documentation Viewer - - - - +&print_html($doctype); - +print <<"END"; - - - - - -

+ + + i-scream plain text documentation viewer + END -&print_file($left); +&print_html($style); print <<"END"; -

+ + +

END -&print_file($title); +&print_html($header); + +print <<"END"; + +

+ i-scream documentation viewer +

+ $docname +

+END -print "

\n";
 &print_file($doc);
-print "

\n"; -&print_file($bottom); +print <<"END"; + +

+END + +&print_html($footer); print <<"END"; -

+ +END + +&print_html($menu); - +print <<"END"; + + END exit 0; -sub print_file ($) { +# Print a file, whilst escaping HTML: - +sub print_file { +my ($urls) = '(' . join ('|', qw{ + http + telnet + gopher + file + wais + ftp + } ) + . ')'; + + my ($ltrs) = '\w'; + my ($gunk) = '/#~:.?+=&%@!\-'; + my ($punc) = '.:?\-'; + my ($any) = "${ltrs}${gunk}${punc}"; my ($filename) = @_; - print `cat $filename`; + if(open(FILE, $filename)) { + print "

\n";
+        # Use $_ implicitly throughout.
+        while () {
+            # Must do the next line first!
+            s/&/&/g;
+            s//>/g;
+            s/"/"/g;
+            s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/$1<\/a>/igox;
+            print;
+        }
+        print "\n

"; + } + else { + print "Failed to open $docname."; + } } -sub print_file_old ($) { +# Print the contents of a file containing html +sub print_html ($) { my ($filename) = @_; - open(FILE, $filename) or die "Cannot open $filename: $!\n"; - while (my ($line) = ) { - print $line; + my($virtual) = ''; + my(@virtualresponse) = `/web/i-scream/nwww.cgi-bin/logo.cgi`; + open(FILE, $filename); + while() { + if(/$virtual/) { + s/$virtual/$virtualresponse[@virtualresponse-1]/; + } + print; } + close FILE; } -