Fixed a potential security problem with the page.

All filenames passed as the "doc" parameter must end in ".txt" and may not
contain any other dots, for example "../", but sensible web servers should
restrict the wwwuser as a matter of caution, anyway.  Furthermore, only
normal characters are allowed in the filename - see the regexp on line 36
to see what these are.  This was to combat malicious users potentially
inserting a ";" or other character in the HTTP querystring, however, most
implementations of perl CGI readily ignore everything after (and
including) the first
";" when a new CGI object is used to return the form variables.

diff --git a/cgi-bin/docs.cgi b/cgi-bin/docs.cgi
index cb6c3d2bbe8dbb9fa83e81024156f0a96e7b5586..f373219a07c7efb2fb0ed2ddabe0b97ce28616e7 100755 (executable)
--- a/cgi-bin/docs.cgi
+++ b/cgi-bin/docs.cgi
@@ -19,11 +19,26 @@ my ($bottom) = "../bottom.inc";
 
 
 my ($query) = new CGI;
-my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/);
-$doc = "../documentation/".$doc;
+
+# Note filenames may only have one dot in them, in the ".txt".
+# This prevents malicious users using "../" to view files.
+my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/);
 
 print "Content-type: text/html\n\n";
 
+unless (defined $doc) {
+    print "The link to this page was broken - it must specify a .txt file.";
+    exit;
+}
+
+# Prevent hackers from supplying a malformed document string.
+# I.e. only allow normal characters, slashes and dots.
+unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) {
+    print "Go Away, you nasty hax0r!";
+    exit;
+}
+$doc = "../documentation/".$doc;
+
 print <<"END";
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">