| 19 |
|
|
| 20 |
|
|
| 21 |
|
my ($query) = new CGI; |
| 22 |
– |
my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/); |
| 23 |
– |
$doc = "../documentation/".$doc; |
| 22 |
|
|
| 23 |
+ |
# Note filenames may only have one dot in them, in the ".txt". |
| 24 |
+ |
# This prevents malicious users using "../" to view files. |
| 25 |
+ |
my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/); |
| 26 |
+ |
|
| 27 |
|
print "Content-type: text/html\n\n"; |
| 28 |
|
|
| 29 |
+ |
unless (defined $doc) { |
| 30 |
+ |
print "The link to this page was broken - it must specify a .txt file."; |
| 31 |
+ |
exit; |
| 32 |
+ |
} |
| 33 |
+ |
|
| 34 |
+ |
# Prevent hackers from supplying a malformed document string. |
| 35 |
+ |
# I.e. only allow normal characters, slashes and dots. |
| 36 |
+ |
unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) { |
| 37 |
+ |
print "Go Away, you nasty hax0r!"; |
| 38 |
+ |
exit; |
| 39 |
+ |
} |
| 40 |
+ |
$doc = "../documentation/".$doc; |
| 41 |
+ |
|
| 42 |
|
print <<"END"; |
| 43 |
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
| 44 |
|
|
| 92 |
|
|
| 93 |
|
# Print a file, whilst escaping HTML: - |
| 94 |
|
sub print_file ($) { |
| 95 |
+ |
my ($urls) = '(' . join ('|', qw{ |
| 96 |
+ |
http |
| 97 |
+ |
telnet |
| 98 |
+ |
gopher |
| 99 |
+ |
file |
| 100 |
+ |
wais |
| 101 |
+ |
ftp |
| 102 |
+ |
} ) |
| 103 |
+ |
. ')'; |
| 104 |
+ |
|
| 105 |
+ |
my ($ltrs) = '\w'; |
| 106 |
+ |
my ($gunk) = '/#~:.?+=&%@!\-'; |
| 107 |
+ |
my ($punc) = '.:?\-'; |
| 108 |
+ |
my ($any) = "${ltrs}${gunk}${punc}"; |
| 109 |
|
my ($filename) = @_; |
| 110 |
|
open(FILE, $filename) or die "Cannot open $filename: $!\n"; |
| 111 |
|
print "<pre>\n"; |
| 116 |
|
s/</</g; |
| 117 |
|
s/>/>/g; |
| 118 |
|
s/"/"/g; |
| 119 |
+ |
s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/<a href="$1">$1<\/a>/igox; |
| 120 |
|
print; |
| 121 |
|
} |
| 122 |
|
print "</pre>"; |
