w3m

Unnamed repository; edit this file to name it for gitweb.
git clone https://logand.com/git/w3m.git/
Log | Files | Refs | README
commit e46706eaac0e1df30536c7d8f47d9fc6d61e76fa
parent 03cd68a0dab9671be0c23fa7d064006227522747
Author: ukai <ukai>
Date:   Fri, 21 Dec 2001 18:33:41 +0000

Security hole in multipart.cgi.in, w3mman2html.cgi.in
From: Hironori Sakamoto <h-saka@lsi.nec.co.jp>

Diffstat:

MChangeLog | 8++++++++


Mscripts/multipart/multipart.cgi.in | 4++--


Mscripts/w3mhelp.cgi.in | 4++--


Mscripts/w3mman/w3mman2html.cgi.in | 6+++---


4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,11 @@
+2001-12-22  Hironori Sakamoto <h-saka@lsi.nec.co.jp>
+
+	* Security hole in multipart.cgi.in, w3mman2html.cgi.in
+	* scripts/w3mhelp.cgi.in: open(F, "< $var") instead of open(F, $var)
+	* scripts/w3mhelp.cgi.in: fix eval qq{require ...};
+	* scripts/multipart/multipart.cgi.in: ditto
+	* scripts/w3mman/w3mman2html.cgi.in: validate $keyword, $section, $man
+
 2001-12-21  Fumitoshi UKAI  <ukai@debian.or.jp>
 
 	* [w3m-dev-en 00656]
diff --git a/scripts/multipart/multipart.cgi.in b/scripts/multipart/multipart.cgi.in
@@ -25,7 +25,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 	$CGI = "file:///\$LIB/multipart.cgi?file=" . &html_quote($file);
 }
 
-open(F, $file);
+open(F, "< $file");
 $end = 0;
 $mbody = '';
 if (defined($boundary)) {
@@ -258,7 +258,7 @@ sub load_mime_type {
 	local($file) = @_;
 	local(%m, $a, @b, $_);
 
-	open(M, $file) || return ();
+	open(M, "< $file") || return ();
 	while(<M>) {
 		/^#/ && next;
 		chop;
diff --git a/scripts/w3mhelp.cgi.in b/scripts/w3mhelp.cgi.in
@@ -29,7 +29,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 	$tlang =~ s/\+|%([0-9A-Fa-f][0-9A-Fa-f])/$& eq '+' ? ' ' : pack('C', hex($1))/ge;
 	$tlang =~ tr/A-Z/a-z/;
 	print "tlang=$tlang\n";
-	eval qq{require "w3mhelp-funcdesc.$tlang.pl"};
+	eval {require "w3mhelp-funcdesc.$tlang.pl";};
 	if (defined(%funcdesc)) {
 	    $lang = $tlang;
 	}
@@ -37,7 +37,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 }
 
 if (-f $keymap) {
-    open(KEYMAP, $keymap) || die "cannot open keymap: $keymap, $!";
+    open(KEYMAP, "< $keymap") || die "cannot open keymap: $keymap, $!";
     &load_keymap(*KEYMAP, $func);
     close(KEYMAP);
 }
diff --git a/scripts/w3mman/w3mman2html.cgi.in b/scripts/w3mman/w3mman2html.cgi.in
@@ -31,7 +31,7 @@ Content-Type: text/html
 <h2>man -k <b>$k</b></h2>
 <ul>
 EOF
-    $keyword =~ s:([^\w./]):\\$1:g;
+    $keyword =~ s:([^-\w\200-\377.,])::g;
     open(F, "$MAN -k $keyword 2> /dev/null |");
     @line = ();
     while(<F>) {
@@ -82,8 +82,8 @@ if ($man =~ s/\((\w+)\)$//) {
   $man_section = "$man";
 }
 
-$section =~ s:([^\w./]):\\$1:g;
-$man =~ s:([^\w./]):\\$1:g;
+$section =~ s:([^-\w\200-\377.,])::g;
+$man =~ s:([^-\w\200-\377.,])::g;
 open(F, "$MAN $section $man 2> /dev/null |");
 $ok = 0;
 undef $header;