--- web/cgi-bin/docs.cgi	2000/10/25 23:56:27	1.1
+++ web/cgi-bin/docs.cgi	2004/03/21 23:59:32	1.7
@@ -1,94 +1,126 @@
 #!/usr/bin/perl -w
 
-#------------------------------------------------------------
-# docs.cgi
-# 
-# Web-based text file viewer.
-# Copyright Paul Mutton, 2000.
-#------------------------------------------------------------
-
 use strict;
 use CGI;
 
 $| = 1;
 
 # Settings
-my ($left) = "../left.inc" ;
-my ($title) = "../title.inc";
-my ($bottom) = "../bottom.inc";
+my ($menu) = "../nwww/menu.inc" ;
+my ($header) = "../nwww/header.inc";
+my ($footer) = "../nwww/footer.inc";
+my ($style) = "../nwww/style.inc";
 
-
 my ($query) = new CGI;
-my ($doci) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/);
-my ($doc) = "../documentation/$doci";
 
-print "content-type: text/html\n\n";
+# Note filenames may only have one dot in them, in the ".txt".
+# This prevents malicious users using "../" to view files.
+my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/);
 
-print <<"END";
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+print "Content-type: text/html\n\n";
 
-<!--
-    docs.cgi
-    Web-based text file viewer and formatter.
-    Created by pjm2 19/10/2000
-    Last modified 19/10/2000
--->
+unless (defined $doc) {
+    print "The link to this page was broken - it must specify a .txt file.";
+    exit;
+}
 
+# Prevent hackers from supplying a malformed document string.
+# I.e. only allow normal characters, slashes and dots.
+unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) {
+    print "Malformed request.";
+    exit;
+}
+$doc = "../htdocs/documentation/".$doc;
+
+my($docname) = $doc =~ /\/([^\/]+)$/;
+
+print <<"END";
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+
 <html>
 
 <head>
- <title>The i-scream Project Documentation Viewer</title>
- <meta name="description" content="The i-scream Project is a central monitoring system for Unix, Linux and NT servers.">
- <meta name="keywords" content="i-scream, project, central monitoring system, unix, linux, nt, server, alert">
- <meta name="generator" content="notepad on acid, aye.">
+ <title>i-scream plain text documentation viewer</title>
+END
+
+&print_html($style);
+
+print <<"END";
 </head>
 
-<body bgcolor="#ffffff" link="#0000ff" alink="#3333cc" vlink="#3333cc" text="#000066">
+<body>
 
-<table border="0" cellpadding="2" cellspacing="2">
- <tr>
-  <td valign="top">
+<div id="container">
+
+<div id="main">
 END
 
-&print_file($left);
+&print_html($header);
 
 print <<"END";
+<div id="contents">
+<h1 class="top">i-scream documentation viewer</h1>
 
-  </td>
-  <td valign="top">
+<h2>$docname</h2>
 END
 
-&print_file($title);
-
-print "<PRE>\n";
 &print_file($doc);
-print "</PRE>\n";
+print "</div>";
 
-&print_file($bottom);
+&print_html($footer);
 
-print <<"END";
+print "</div>";
 
-  </td>
- </tr>
-</table>
+&print_html($menu);
 
-</body>
+print <<"END";
+</div>
 
+</body>
 </html>
 END
 
 exit 0;
 
+# Print a file, whilst escaping HTML: -
 sub print_file ($) {
-    my ($filename) = @_;
-    print `cat $filename`;
-}
+my ($urls) = '(' . join ('|', qw{
+	       http
+	       telnet
+	       gopher
+	       file
+	       wais
+	       ftp
+	       } )
+	   . ')';
 
-sub print_file_old ($) {
-    my ($filename) = @_;
-    open(FILE, $filename) or die "Cannot open $filename: $!\n";
-    while (my ($line) = <FILE>) {
-        print $line;
+my ($ltrs) = '\w';
+my ($gunk) = '/#~:.?+=&%@!\-';
+my ($punc) = '.:?\-';
+my ($any) = "${ltrs}${gunk}${punc}";
+my ($filename) = @_;
+if(open(FILE, $filename)) {
+    print "<pre>\n";
+    # Use $_ implicitly throughout.
+    while (<FILE>) {
+        # Must do the next line first!
+        s/&/&amp;/g;
+        s/</&lt;/g;
+        s/>/&gt;/g;
+        s/"/&quot;/g;
+        s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/<a href="$1">$1<\/a>/igox;
+        print;
     }
+    print "</pre>";
 }
+else {
+    print "Failed to open $docname.";
+}
+}
 
+# Print a file without escaping HTML: -
+sub print_html ($) {
+my ($filename) = @_;
+print `cat $filename 2>&1`;
+}