--- web/cgi-bin/docs.cgi	2000/11/09 22:03:56	1.3
+++ web/cgi-bin/docs.cgi	2003/05/11 19:51:06	1.5.2.1
@@ -13,17 +13,32 @@ use CGI;
 $| = 1;
 
 # Settings
-my ($left) = "../left.inc" ;
-my ($title) = "../title.inc";
-my ($bottom) = "../bottom.inc";
+my ($left) = "../htdocs/left.inc" ;
+my ($title) = "../htdocs/title.inc";
+my ($bottom) = "../htdocs/bottom.inc";
 
 
 my ($query) = new CGI;
-my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/);
-$doc = "../documentation/".$doc;
 
+# Note filenames may only have one dot in them, in the ".txt".
+# This prevents malicious users using "../" to view files.
+my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/);
+
 print "Content-type: text/html\n\n";
 
+unless (defined $doc) {
+    print "The link to this page was broken - it must specify a .txt file.";
+    exit;
+}
+
+# Prevent hackers from supplying a malformed document string.
+# I.e. only allow normal characters, slashes and dots.
+unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) {
+    print "Malformed request";
+    exit;
+}
+$doc = "../htdocs/documentation/".$doc;
+
 print <<"END";
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 
@@ -110,5 +125,5 @@ sub print_file ($) {
 # Print a file without escaping HTML: -
 sub print_html ($) {
     my ($filename) = @_;
-    print `cat $filename`;
+    print `cat $filename 2>&1`;
 }