ViewVC Help
View File | Revision Log | Show Annotations | Revision Graph | Root Listing
root/i-scream/web/cgi-bin/docs.cgi
(Generate patch)

Comparing web/cgi-bin/docs.cgi (file contents):
Revision 1.2 by tdb, Thu Nov 2 20:59:43 2000 UTC vs.
Revision 1.5.2.1 by tdb, Sun May 11 19:51:06 2003 UTC

# Line 13 | Line 13 | use CGI;
13   $| = 1;
14  
15   # Settings
16 < my ($left) = "../left.inc" ;
17 < my ($title) = "../title.inc";
18 < my ($bottom) = "../bottom.inc";
16 > my ($left) = "../htdocs/left.inc" ;
17 > my ($title) = "../htdocs/title.inc";
18 > my ($bottom) = "../htdocs/bottom.inc";
19  
20  
21   my ($query) = new CGI;
22 my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/);
23 $doc = "../documentation/".$doc;
22  
23 + # Note filenames may only have one dot in them, in the ".txt".
24 + # This prevents malicious users using "../" to view files.
25 + my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/);
26 +
27   print "Content-type: text/html\n\n";
28  
29 + unless (defined $doc) {
30 +    print "The link to this page was broken - it must specify a .txt file.";
31 +    exit;
32 + }
33 +
34 + # Prevent hackers from supplying a malformed document string.
35 + # I.e. only allow normal characters, slashes and dots.
36 + unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) {
37 +    print "Malformed request";
38 +    exit;
39 + }
40 + $doc = "../htdocs/documentation/".$doc;
41 +
42   print <<"END";
43   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
44  
# Line 77 | Line 92 | exit 0;
92  
93   # Print a file, whilst escaping HTML: -
94   sub print_file ($) {
95 +    my ($urls) = '(' . join ('|', qw{
96 +                       http
97 +                       telnet
98 +                       gopher
99 +                       file
100 +                       wais
101 +                       ftp
102 +                       } )
103 +                   . ')';
104 +    
105 +    my ($ltrs) = '\w';
106 +    my ($gunk) = '/#~:.?+=&%@!\-';
107 +    my ($punc) = '.:?\-';
108 +    my ($any) = "${ltrs}${gunk}${punc}";
109      my ($filename) = @_;
110      open(FILE, $filename) or die "Cannot open $filename: $!\n";
111      print "<pre>\n";
# Line 87 | Line 116 | sub print_file ($) {
116          s/</&lt;/g;
117          s/>/&gt;/g;
118          s/"/&quot;/g;
119 +        s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/<a href="$1">$1<\/a>/igox;
120          print;
121      }
122      print "</pre>";
# Line 95 | Line 125 | sub print_file ($) {
125   # Print a file without escaping HTML: -
126   sub print_html ($) {
127      my ($filename) = @_;
128 <    print `cat $filename`;
128 >    print `cat $filename 2>&1`;
129   }

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines