From f3dea95c45f09985dee82aaebd8766df3fabedfc Mon Sep 17 00:00:00 2001 From: Paul Mutton Date: Thu, 8 Feb 2001 21:17:47 +0000 Subject: [PATCH] Fixed a potential security problem with the page. All filenames passed as the "doc" parameter must end in ".txt" and may not contain any other dots, for example "../", but sensible web servers should restrict the wwwuser as a matter of caution, anyway. Furthermore, only normal characters are allowed in the filename - see the regexp on line 36 to see what these are. This was to combat malicious users potentially inserting a ";" or other character in the HTTP querystring, however, most implementations of perl CGI readily ignore everything after (and including) the first ";" when a new CGI object is used to return the form variables. --- cgi-bin/docs.cgi | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/cgi-bin/docs.cgi b/cgi-bin/docs.cgi index cb6c3d2..f373219 100755 --- a/cgi-bin/docs.cgi +++ b/cgi-bin/docs.cgi @@ -19,11 +19,26 @@ my ($bottom) = "../bottom.inc"; my ($query) = new CGI; -my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); -$doc = "../documentation/".$doc; + +# Note filenames may only have one dot in them, in the ".txt". +# This prevents malicious users using "../" to view files. +my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); print "Content-type: text/html\n\n"; +unless (defined $doc) { + print "The link to this page was broken - it must specify a .txt file."; + exit; +} + +# Prevent hackers from supplying a malformed document string. +# I.e. only allow normal characters, slashes and dots. +unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { + print "Go Away, you nasty hax0r!"; + exit; +} +$doc = "../documentation/".$doc; + print <<"END"; -- 2.44.0