aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFumitoshi UKAI <ukai@debian.or.jp>2001-12-21 18:33:41 +0000
committerFumitoshi UKAI <ukai@debian.or.jp>2001-12-21 18:33:41 +0000
commit54702c4d832bdcb24f24852a96d5336e5adca75a (patch)
treefe085dcc00e3e163a238798a9ab10c2319a1bad7
parenthelpdir default PREFIX/share/w3m (diff)
downloadw3m-54702c4d832bdcb24f24852a96d5336e5adca75a.tar.gz
w3m-54702c4d832bdcb24f24852a96d5336e5adca75a.zip
Security hole in multipart.cgi.in, w3mman2html.cgi.in
From: Hironori Sakamoto <h-saka@lsi.nec.co.jp>
-rw-r--r--ChangeLog10
-rw-r--r--scripts/multipart/multipart.cgi.in4
-rw-r--r--scripts/w3mhelp.cgi.in6
-rw-r--r--scripts/w3mman/w3mman2html.cgi.in6
4 files changed, 17 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 0aa2b16..b1d1c72 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2001-12-22 Hironori Sakamoto <h-saka@lsi.nec.co.jp>
+
+ * Security hole in multipart.cgi.in, w3mman2html.cgi.in
+ * scripts/w3mhelp.cgi.in: open(F, "< $var") instead of open(F, $var)
+ * scripts/w3mhelp.cgi.in: fix eval qq{require ...};
+ * scripts/multipart/multipart.cgi.in: ditto
+ * scripts/w3mman/w3mman2html.cgi.in: validate $keyword, $section, $man
+
2001-12-21 Fumitoshi UKAI <ukai@debian.or.jp>
* [w3m-dev-en 00656]
@@ -1369,4 +1377,4 @@
* release-0-2-1
* import w3m-0.2.1
-$Id: ChangeLog,v 1.152 2001/12/21 02:11:49 ukai Exp $
+$Id: ChangeLog,v 1.153 2001/12/21 18:33:41 ukai Exp $
diff --git a/scripts/multipart/multipart.cgi.in b/scripts/multipart/multipart.cgi.in
index be4e6a0..fb13443 100644
--- a/scripts/multipart/multipart.cgi.in
+++ b/scripts/multipart/multipart.cgi.in
@@ -25,7 +25,7 @@ if (defined($ENV{'QUERY_STRING'})) {
$CGI = "file:///\$LIB/multipart.cgi?file=" . &html_quote($file);
}
-open(F, $file);
+open(F, "< $file");
$end = 0;
$mbody = '';
if (defined($boundary)) {
@@ -258,7 +258,7 @@ sub load_mime_type {
local($file) = @_;
local(%m, $a, @b, $_);
- open(M, $file) || return ();
+ open(M, "< $file") || return ();
while(<M>) {
/^#/ && next;
chop;
diff --git a/scripts/w3mhelp.cgi.in b/scripts/w3mhelp.cgi.in
index 7f11047..2045224 100644
--- a/scripts/w3mhelp.cgi.in
+++ b/scripts/w3mhelp.cgi.in
@@ -1,5 +1,5 @@
#!@PERL@
-# $Id: w3mhelp.cgi.in,v 1.3 2001/12/02 13:16:29 ukai Exp $
+# $Id: w3mhelp.cgi.in,v 1.4 2001/12/21 18:33:41 ukai Exp $
$helpdir = "@HELP_DIR@";
unshift(@INC, $helpdir);
@@ -29,7 +29,7 @@ if (defined($ENV{'QUERY_STRING'})) {
$tlang =~ s/\+|%([0-9A-Fa-f][0-9A-Fa-f])/$& eq '+' ? ' ' : pack('C', hex($1))/ge;
$tlang =~ tr/A-Z/a-z/;
print "tlang=$tlang\n";
- eval qq{require "w3mhelp-funcdesc.$tlang.pl"};
+ eval {require "w3mhelp-funcdesc.$tlang.pl";};
if (defined(%funcdesc)) {
$lang = $tlang;
}
@@ -37,7 +37,7 @@ if (defined($ENV{'QUERY_STRING'})) {
}
if (-f $keymap) {
- open(KEYMAP, $keymap) || die "cannot open keymap: $keymap, $!";
+ open(KEYMAP, "< $keymap") || die "cannot open keymap: $keymap, $!";
&load_keymap(*KEYMAP, $func);
close(KEYMAP);
}
diff --git a/scripts/w3mman/w3mman2html.cgi.in b/scripts/w3mman/w3mman2html.cgi.in
index 68f318a..6786928 100644
--- a/scripts/w3mman/w3mman2html.cgi.in
+++ b/scripts/w3mman/w3mman2html.cgi.in
@@ -31,7 +31,7 @@ Content-Type: text/html
<h2>man -k <b>$k</b></h2>
<ul>
EOF
- $keyword =~ s:([^\w./]):\\$1:g;
+ $keyword =~ s:([^-\w\200-\377.,])::g;
open(F, "$MAN -k $keyword 2> /dev/null |");
@line = ();
while(<F>) {
@@ -82,8 +82,8 @@ if ($man =~ s/\((\w+)\)$//) {
$man_section = "$man";
}
-$section =~ s:([^\w./]):\\$1:g;
-$man =~ s:([^\w./]):\\$1:g;
+$section =~ s:([^-\w\200-\377.,])::g;
+$man =~ s:([^-\w\200-\377.,])::g;
open(F, "$MAN $section $man 2> /dev/null |");
$ok = 0;
undef $header;