ViewVC Help
View File | Revision Log | Show Annotations | Revision Graph | Root Listing
root/i-scream/web/cgi-bin/docs.cgi
(Generate patch)

Comparing web/cgi-bin/docs.cgi (file contents):
Revision 1.2 by tdb, Thu Nov 2 20:59:43 2000 UTC vs.
Revision 1.5 by tdb, Sun May 6 19:16:40 2001 UTC

# Line 19 | Line 19 | my ($bottom) = "../bottom.inc";
19  
20  
21   my ($query) = new CGI;
22 my ($doc) = ($query->param('doc') =~ /^\s*(.*?\.txt)\s*$/);
23 $doc = "../documentation/".$doc;
22  
23 + # Note filenames may only have one dot in them, in the ".txt".
24 + # This prevents malicious users using "../" to view files.
25 + my ($doc) = ($query->param('doc') =~ /^\s*([^\.]*?\.txt)\s*$/);
26 +
27   print "Content-type: text/html\n\n";
28  
29 + unless (defined $doc) {
30 +    print "The link to this page was broken - it must specify a .txt file.";
31 +    exit;
32 + }
33 +
34 + # Prevent hackers from supplying a malformed document string.
35 + # I.e. only allow normal characters, slashes and dots.
36 + unless ($doc =~ /^[a-zA-Z_\-0-9\.\/]+$/) {
37 +    print "Go Away, you nasty hax0r!";
38 +    exit;
39 + }
40 + $doc = "../documentation/".$doc;
41 +
42   print <<"END";
43   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
44  
# Line 77 | Line 92 | exit 0;
92  
93   # Print a file, whilst escaping HTML: -
94   sub print_file ($) {
95 +    my ($urls) = '(' . join ('|', qw{
96 +                       http
97 +                       telnet
98 +                       gopher
99 +                       file
100 +                       wais
101 +                       ftp
102 +                       } )
103 +                   . ')';
104 +    
105 +    my ($ltrs) = '\w';
106 +    my ($gunk) = '/#~:.?+=&%@!\-';
107 +    my ($punc) = '.:?\-';
108 +    my ($any) = "${ltrs}${gunk}${punc}";
109      my ($filename) = @_;
110      open(FILE, $filename) or die "Cannot open $filename: $!\n";
111      print "<pre>\n";
# Line 87 | Line 116 | sub print_file ($) {
116          s/</&lt;/g;
117          s/>/&gt;/g;
118          s/"/&quot;/g;
119 +        s/\b($urls:[$any]+?)(?=[$punc]*[^$any]|$)/<a href="$1">$1<\/a>/igox;
120          print;
121      }
122      print "</pre>";
# Line 95 | Line 125 | sub print_file ($) {
125   # Print a file without escaping HTML: -
126   sub print_html ($) {
127      my ($filename) = @_;
128 <    print `cat $filename`;
128 >    print `cat $filename 2>&1`;
129   }

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines