19 |
|
|
20 |
|
|
21 |
|
my ($query) = new CGI; |
22 |
– |
my ($doci) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); |
23 |
– |
my ($doc) = "../documentation/$doci"; |
22 |
|
|
23 |
< |
print "content-type: text/html\n\n"; |
23 |
> |
# Note filenames may only have one dot in them, in the ".txt". |
24 |
> |
# This prevents malicious users using "../" to view files. |
25 |
> |
my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); |
26 |
|
|
27 |
+ |
print "Content-type: text/html\n\n"; |
28 |
+ |
|
29 |
+ |
unless (defined $doc) { |
30 |
+ |
print "The link to this page was broken - it must specify a .txt file."; |
31 |
+ |
exit; |
32 |
+ |
} |
33 |
+ |
|
34 |
+ |
# Prevent hackers from supplying a malformed document string. |
35 |
+ |
# I.e. only allow normal characters, slashes and dots. |
36 |
+ |
unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { |
37 |
+ |
print "Go Away, you nasty hax0r!"; |
38 |
+ |
exit; |
39 |
+ |
} |
40 |
+ |
$doc = "../documentation/".$doc; |
41 |
+ |
|
42 |
|
print <<"END"; |
43 |
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
44 |
|
|
46 |
|
docs.cgi |
47 |
|
Web-based text file viewer and formatter. |
48 |
|
Created by pjm2 19/10/2000 |
49 |
< |
Last modified 19/10/2000 |
49 |
> |
Last modified 02/11/2000 |
50 |
|
--> |
51 |
|
|
52 |
|
<html> |
65 |
|
<td valign="top"> |
66 |
|
END |
67 |
|
|
68 |
< |
&print_file($left); |
68 |
> |
&print_html($left); |
69 |
|
|
70 |
|
print <<"END"; |
71 |
|
|
73 |
|
<td valign="top"> |
74 |
|
END |
75 |
|
|
76 |
< |
&print_file($title); |
62 |
< |
|
63 |
< |
print "<PRE>\n"; |
76 |
> |
&print_html($title); |
77 |
|
&print_file($doc); |
78 |
< |
print "</PRE>\n"; |
78 |
> |
&print_html($bottom); |
79 |
|
|
67 |
– |
&print_file($bottom); |
68 |
– |
|
80 |
|
print <<"END"; |
81 |
|
|
82 |
|
</td> |
90 |
|
|
91 |
|
exit 0; |
92 |
|
|
93 |
+ |
# Print a file, whilst escaping HTML: - |
94 |
|
sub print_file ($) { |
95 |
+ |
my ($urls) = '(' . join ('|', qw{ |
96 |
+ |
http |
97 |
+ |
telnet |
98 |
+ |
gopher |
99 |
+ |
file |
100 |
+ |
wais |
101 |
+ |
ftp |
102 |
+ |
} ) |
103 |
+ |
. ')'; |
104 |
+ |
|
105 |
+ |
my ($ltrs) = '\w'; |
106 |
+ |
my ($gunk) = '/#~:.?+=&%@!\-'; |
107 |
+ |
my ($punc) = '.:?\-'; |
108 |
+ |
my ($any) = "${ltrs}${gunk}${punc}"; |
109 |
|
my ($filename) = @_; |
84 |
– |
print `cat $filename`; |
85 |
– |
} |
86 |
– |
|
87 |
– |
sub print_file_old ($) { |
88 |
– |
my ($filename) = @_; |
110 |
|
open(FILE, $filename) or die "Cannot open $filename: $!\n"; |
111 |
< |
while (my ($line) = <FILE>) { |
112 |
< |
print $line; |
111 |
> |
print "<pre>\n"; |
112 |
> |
# Use $_ implicitly throughout. |
113 |
> |
while (<FILE>) { |
114 |
> |
# Must do the next line first! |
115 |
> |
s/&/&/g; |
116 |
> |
s/</</g; |
117 |
> |
s/>/>/g; |
118 |
> |
s/"/"/g; |
119 |
> |
s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/<a href="$1">$1<\/a>/igox; |
120 |
> |
print; |
121 |
|
} |
122 |
+ |
print "</pre>"; |
123 |
|
} |
124 |
|
|
125 |
+ |
# Print a file without escaping HTML: - |
126 |
+ |
sub print_html ($) { |
127 |
+ |
my ($filename) = @_; |
128 |
+ |
print `cat $filename`; |
129 |
+ |
} |