w3m

Unnamed repository; edit this file to name it for gitweb.
git clone https://logand.com/git/w3m.git/
Log | Files | Refs | README

commit e46706eaac0e1df30536c7d8f47d9fc6d61e76fa
parent 03cd68a0dab9671be0c23fa7d064006227522747
Author: ukai <ukai>
Date:   Fri, 21 Dec 2001 18:33:41 +0000

Security hole in multipart.cgi.in, w3mman2html.cgi.in
From: Hironori Sakamoto <h-saka@lsi.nec.co.jp>

Diffstat:
MChangeLog | 8++++++++
Mscripts/multipart/multipart.cgi.in | 4++--
Mscripts/w3mhelp.cgi.in | 4++--
Mscripts/w3mman/w3mman2html.cgi.in | 6+++---
4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog @@ -1,3 +1,11 @@ +2001-12-22 Hironori Sakamoto <h-saka@lsi.nec.co.jp> + + * Security hole in multipart.cgi.in, w3mman2html.cgi.in + * scripts/w3mhelp.cgi.in: open(F, "< $var") instead of open(F, $var) + * scripts/w3mhelp.cgi.in: fix eval qq{require ...}; + * scripts/multipart/multipart.cgi.in: ditto + * scripts/w3mman/w3mman2html.cgi.in: validate $keyword, $section, $man + 2001-12-21 Fumitoshi UKAI <ukai@debian.or.jp> * [w3m-dev-en 00656] diff --git a/scripts/multipart/multipart.cgi.in b/scripts/multipart/multipart.cgi.in @@ -25,7 +25,7 @@ if (defined($ENV{'QUERY_STRING'})) { $CGI = "file:///\$LIB/multipart.cgi?file=" . &html_quote($file); } -open(F, $file); +open(F, "< $file"); $end = 0; $mbody = ''; if (defined($boundary)) { @@ -258,7 +258,7 @@ sub load_mime_type { local($file) = @_; local(%m, $a, @b, $_); - open(M, $file) || return (); + open(M, "< $file") || return (); while(<M>) { /^#/ && next; chop; diff --git a/scripts/w3mhelp.cgi.in b/scripts/w3mhelp.cgi.in @@ -29,7 +29,7 @@ if (defined($ENV{'QUERY_STRING'})) { $tlang =~ s/\+|%([0-9A-Fa-f][0-9A-Fa-f])/$& eq '+' ? ' ' : pack('C', hex($1))/ge; $tlang =~ tr/A-Z/a-z/; print "tlang=$tlang\n"; - eval qq{require "w3mhelp-funcdesc.$tlang.pl"}; + eval {require "w3mhelp-funcdesc.$tlang.pl";}; if (defined(%funcdesc)) { $lang = $tlang; } @@ -37,7 +37,7 @@ if (defined($ENV{'QUERY_STRING'})) { } if (-f $keymap) { - open(KEYMAP, $keymap) || die "cannot open keymap: $keymap, $!"; + open(KEYMAP, "< $keymap") || die "cannot open keymap: $keymap, $!"; &load_keymap(*KEYMAP, $func); close(KEYMAP); } diff --git a/scripts/w3mman/w3mman2html.cgi.in b/scripts/w3mman/w3mman2html.cgi.in @@ -31,7 +31,7 @@ Content-Type: text/html <h2>man -k <b>$k</b></h2> <ul> EOF - $keyword =~ s:([^\w./]):\\$1:g; + $keyword =~ s:([^-\w\200-\377.,])::g; open(F, "$MAN -k $keyword 2> /dev/null |"); @line = (); while(<F>) { @@ -82,8 +82,8 @@ if ($man =~ s/\((\w+)\)$//) { $man_section = "$man"; } -$section =~ s:([^\w./]):\\$1:g; -$man =~ s:([^\w./]):\\$1:g; +$section =~ s:([^-\w\200-\377.,])::g; +$man =~ s:([^-\w\200-\377.,])::g; open(F, "$MAN $section $man 2> /dev/null |"); $ok = 0; undef $header;