From 549ee1cc09be5bbdc613649eb9be3ebc122c0331 Mon Sep 17 00:00:00 2001
From: Fumitoshi UKAI <ukai@debian.or.jp>
Date: Wed, 15 Jan 2003 17:13:21 +0000
Subject: [w3m-dev 03644] Re: Other user can see local cookie. * cookie.c
 (save_cookies): return if no_rc_dir * etc.c (tmpf_base): add cookie 
 (tmpfname): use tmp_dir instead of rc_dir * file.c (loadGeneralFile): cookie
 is not passed via URL * fm.h (TMPF_COOKIE): incl 	(MAX_TMPF_TYPE): incl 
 (no_rc_dir): added 	(tmp_dir): added 	(config_file): added * local.c
 (Local_cookie_file): added 	(writeLocalCookie): added 
 (setLocalCookie): dont set environment LOCAL_COOKIE 	(localcgi_post):
 writeLocalCookie 	(localcgi_get): writeLocalCookie * main.c
 (config_filename): deleted 	(cmd_loadURL): arg FormList 	(main):
 rewrite config_file, rc 	(ldhelp): no cookie in URL 	(cmd_loadURL):
 arg FormList 	(goURL0): cmd_loadURL change 	(cmd_loadBuffer): cmd_loadURL
 change 	(adBmark): cookie is posted 	(follow_map): cmd_loadURL
 change 	(linkMn): cmd_loadURL change 	(reinit): init_rc change *
 proto.h (create_option_search_table): deleted 	(init_rc): no args * rc.c
 (create_option_search_table): static 	(init_rc): no args 	
 rewrite 	(optionpanel_src1): rewrite 	(load_option_panel):
 html_quote 	(panel_set_option): no_rc_dir * w3mbookmark.c: rewrite *
 w3mhelperpanel.c: rewrite * scripts/dirlist.cgi.in: rewrite *
 scripts/w3mhelp.cgi.in: rewrite * scripts/w3mmail.cgi.in: rewrite *
 scripts/multipart/multipart.cgi.in: rewrite From: Hironori SAKAMOTO
 <hsaka@mth.biglobe.ne.jp>

---
 scripts/dirlist.cgi.in             | 61 ++++++++++++++++----------------------
 scripts/multipart/multipart.cgi.in | 25 ++++------------
 scripts/w3mhelp.cgi.in             | 18 ++---------
 scripts/w3mmail.cgi.in             | 33 ++++++++++++++-------
 4 files changed, 55 insertions(+), 82 deletions(-)

(limited to 'scripts')

diff --git a/scripts/dirlist.cgi.in b/scripts/dirlist.cgi.in
index 9bed644..2949ebe 100755
--- a/scripts/dirlist.cgi.in
+++ b/scripts/dirlist.cgi.in
@@ -33,15 +33,16 @@ $query = $ENV{'QUERY_STRING'};
 $dir = '';
 $cmd = '';
 $cookie = '';
-# $cgi = 0;
-# if ($query eq '') {
-#   $_ = `pwd`;	# insecure?
-#   chop;
-#   s/\r$//;
-#   $dir = $_;
-#   $cgi = 0;
-# } elsif ($query =~ /^(opt\d+|dir|cmd|cookie)=/) {
-  foreach(split(/\&/, $query)) {
+$local_cookie = '';
+foreach(split(/\&/, $query)) {
+  if (s/^dir=//) {
+    $dir = &form_decode($_);
+  }
+}
+$body = undef;
+if ($ENV{'REQUEST_METHOD'} eq 'POST') {
+  sysread(STDIN, $body, $ENV{'CONTENT_LENGTH'});
+  foreach(split(/\&/, $body)) {
     if (s/^dir=//) {
       $dir = &form_decode($_);
     } elsif (s/^opt(\d+)=//) {
@@ -52,27 +53,22 @@ $cookie = '';
       $cookie = &form_decode($_);
     }
   }
-  if (($cookie eq "") || ($cookie ne $ENV{"LOCAL_COOKIE"})) {
-    print <<EOF;
+}
+$cookie_file = $ENV{'LOCAL_COOKIE_FILE'};
+if (-f $cookie_file) {
+   open(F, "< $cookie_file");
+   $local_cookie = <F>;
+   close(F);
+}
+if ($local_cookie eq '' || (defined($body) && $cookie ne $local_cookie)) {
+  print <<EOF;
 Content-Type: text/plain
 
 Local cookie doesn't match: It may be an illegal execution
 EOF
-    exit(1);
-  }
- $cookie =  &html_quote($cookie);
-  $cgi = 1;
-# } else {
-#   $dir = $query;
-#   if (($dir !~ m@^/@) &&
-#       ($WIN32 && $dir !~ /^[a-z]:/i)) {
-#     $_ = `pwd`;	# insecure?
-#     chop;
-#     s/\r$//;
-#     $dir = "$_/$dir";
-#   }
-#   $cgi = -1;
-# }
+  exit(1);
+}
+$local_cookie =  &html_quote($local_cookie);
 if ($dir !~ m@/$@) {
   $dir .= '/';
 }
@@ -88,9 +84,7 @@ if ($WIN32) {
       $ROOT = &cygwin_pathconv("$ROOT");
   }
 }
-if ($cgi) {
-  $dir = &cleanup($dir);
-}
+$dir = &cleanup($dir);
 
 $TYPE   = $OPT[$OPT_TYPE];
 $FORMAT = $OPT[$OPT_FORMAT];
@@ -117,9 +111,6 @@ EOF
   exit 1;
 }
 
-# ($cgi > 0) && print <<EOF;
-# w3m-control: DELETE_PREVBUF
-# EOF
 print <<EOF;
 Content-Type: text/html
 
@@ -404,9 +395,9 @@ sub print_form {
   local($_, @vs, @os, $v, $o);
 
   print <<EOF;
-<form action=\"$CGI\">
+<form method=post action=\"$CGI#current\">
 <center>
-<table>
+<table cellpadding=0>
 <tr valign=top>
 EOF
   foreach(0 .. 2) {
@@ -433,7 +424,7 @@ EOF
 </table>
 </center>
 <input type=hidden name=dir value="$d">
-<input type=hidden name=cookie value="$cookie">
+<input type=hidden name=cookie value="$local_cookie">
 </form>
 EOF
 }
diff --git a/scripts/multipart/multipart.cgi.in b/scripts/multipart/multipart.cgi.in
index d51a521..1dd981a 100644
--- a/scripts/multipart/multipart.cgi.in
+++ b/scripts/multipart/multipart.cgi.in
@@ -28,24 +28,14 @@ if (defined($query)) {
 	}
 	$file = &form_decode($v{'file'});
 	$boundary = &form_decode($v{'boundary'});
-	$cookie = &form_decode($v{'cookie'});
-	if (($cookie eq "") || ($cookie ne $ENV{"LOCAL_COOKIE"})) {
-		print <<EOF;
-Content-Type: text/plain
-
-Local cookie doesn't match: It may be an illegal execution
-EOF
-		exit(1);
-	}
 } else {
 	$file = $ARGV[0];
 	if (@ARGV >= 2) {
 		$boundary = $ARGV[1];
 	}
-	$cookie = $ENV{'LOCAL_COOKIE'};
 }
-
-open(F, "< $file");
+(-f $file) || exit(1);
+open(F, "< $file") || exit(1);
 $end = 0;
 $mbody = '';
 if (defined($boundary)) {
@@ -131,7 +121,6 @@ if (defined($v{'count'})) {
 $qcgi = &html_quote($CGI);
 $qfile = &html_quote($file);
 $qboundary = &html_quote($boundary);
-$qcookie = &html_quote($cookie);
 
 if ($mbody =~ /\S/) {
 	$_ = $mbody;
@@ -196,20 +185,16 @@ while(! $end) {
 		s/\>/\&gt;/g;
 		print "<pre>\n";
 		print $_;
-		print "\n</pre>\n";
+		print "</pre>\n";
 		if ($type =~ /name=\"?([^\"]+)\"?/ ||
 			$dispos =~ /filename=\"?([^\"]+)\"?/) {
 			$name = $1;
 		} else {
 			$name = "Content";
 		}
-		print "<form method=POST action=\"$qcgi?$count\">\n";
-		print "<input type=hidden name=file value=\"$qfile\">\n";
-		print "<input type=hidden name=boundary value=\"$qboundary\">\n";
-		print "<input type=hidden name=cookie value=\"$qcookie\">\n";
-		print "<input type=hidden name=count value=\"$count\">\n";
+		print "<form action=\"$qcgi?file=$qfile&amp;boundary=$qboundary&amp;count=$count\">\n";
 		if ($image) {
-			print "<input type=image name=submit src=\"$CGI?file=$qfile&amp;boundary=$qboundary&amp;cookie=$qcookie&amp;count=$count\" alt=\"",
+			print "<input type=image name=submit src=\"$qcgi?file=$qfile&amp;boundary=$qboundary&amp;count=$count\" alt=\"",
 				&html_quote($name), "\">\n";
 		} else {
 			print "<input type=submit name=submit value=\"",
diff --git a/scripts/w3mhelp.cgi.in b/scripts/w3mhelp.cgi.in
index f7b247c..12c1b63 100644
--- a/scripts/w3mhelp.cgi.in
+++ b/scripts/w3mhelp.cgi.in
@@ -1,5 +1,5 @@
 #!@PERL@
-# $Id: w3mhelp.cgi.in,v 1.22 2002/12/11 02:57:30 ukai Exp $
+# $Id: w3mhelp.cgi.in,v 1.23 2003/01/15 17:13:22 ukai Exp $
 
 if ( $^O =~ /^(ms)?(dos|win(32|nt)?)/i ) {
   $CYGPATH = 1;
@@ -49,18 +49,6 @@ if (defined($ENV{'QUERY_STRING'})) {
 	    $lang = $tlang;
 	}
     }
-    if ($ENV{'QUERY_STRING'} =~ /(^|&)cookie=([^&]*)/) {
-	$cookie = $2;
-	$cookie =~ s/\+|%([0-9A-Fa-f][0-9A-Fa-f])/$& eq '+' ? ' ' : pack('C', hex($1))/ge;
-    }
-}
-if (($cookie eq "") || ($cookie ne $ENV{"LOCAL_COOKIE"})) {
-    print <<EOF;
-Content-Type: text/plain
-
-Local cookie doesn't match: It may be an illegal execution
-EOF
-    exit(1);
 }
 
 %f = %keyfunc;
@@ -115,9 +103,7 @@ HEADING
 
 $q_version = $version;
 $q_version =~ s/[^A-Za-z0-9_\$\.\-]/sprintf('%%%02X', ord($&))/ge;
-$q_cookie = $cookie;
-$q_cookie =~ s/[^A-Za-z0-9_\$\.\-]/sprintf('%%%02X', ord($&))/ge;
-$script = "<A HREF=\"$ENV{'SCRIPT_NAME'}?cookie=$q_cookie&version=$q_version&amp;lang=";
+$script = "<A HREF=\"$ENV{'SCRIPT_NAME'}?version=$q_version&amp;lang=";
 
 # doc:en_English doc-jp:ja_Japanese
 for $otherlang (@docdirs) {
diff --git a/scripts/w3mmail.cgi.in b/scripts/w3mmail.cgi.in
index a3fcaab..e544362 100755
--- a/scripts/w3mmail.cgi.in
+++ b/scripts/w3mmail.cgi.in
@@ -1,15 +1,21 @@
 #!@PERL@
 
-$rcsid = q$Id: w3mmail.cgi.in,v 1.11 2002/11/11 15:50:28 ukai Exp $;
+$rcsid = q$Id: w3mmail.cgi.in,v 1.12 2003/01/15 17:13:22 ukai Exp $;
 ($id = $rcsid) =~ s/^.*,v ([\d\.]*).*/$1/;
 ($prog=$0) =~ s/.*\///;
 
 $query = $ENV{'QUERY_STRING'};
-$local_cookie = $ENV{'LOCAL_COOKIE'};
+$cookie_file = $ENV{'LOCAL_COOKIE_FILE'};
+$local_cookie = '';
 $SENDMAIL = '/usr/lib/sendmail';
 $SENDMAIL = '/usr/sbin/sendmail' if -x '/usr/sbin/sendmail';
 $SENDMAIL_OPT = '-oi -t';
 
+if (-f $cookie_file) {
+    open(F, "< $cookie_file");
+    $local_cookie = <F>;
+    close(F);
+}
 if ($query =~ s/^\w+://) {
     $url = $query;
     $qurl = &html_quote($url);
@@ -43,8 +49,9 @@ if ($query =~ s/^\w+://) {
     print "\r\n";
     print "<html><head><title>W3M Mailer: $qurl</title></head>\n";
     print "<body><h1>W3M Mailer: $qurl</h1>\n";
-    print "<form action='file://$0' method='POST'>\n";
-    print "<input type='hidden' name='cookie' value='$local_cookie'>\n";
+    print "<form action=\"file://$0\" method='POST'>\n";
+    $local_cookie = &html_quote($local_cookie);
+    print "<input type='hidden' name='cookie' value=\"$local_cookie\">\n";
     print "<table>\n";
     foreach $h ('from', 'to', 'cc', 'bcc', 'subject') {
 	$v = &lang_html_quote($opt{$h});
@@ -52,6 +59,7 @@ if ($query =~ s/^\w+://) {
 	delete $opt{$h};
     }
     if ($boundary) {
+	$boundary = &html_quote($boundary);
 	print "<tr><td>Content-Type:<td>multipart/form-data; boundary=\"$boundary\"\n";
 	print "<input type='hidden' name='boundary' value=\"$boundary\">\n";
     }
@@ -98,8 +106,9 @@ if ($query =~ s/^\w+://) {
 	print "<html><head><title>W3M Mailer</title></head>\n";
 	print "<body>\n";
 	print "<h1>W3M Mailer: preview</h1>\n";
-	print "<form action='$0' method='POST'>\n";
-	print "<input type='hidden' name='cookie' value='$local_cookie'>\n";
+	print "<form action=\"file://$0\" method='POST'>\n";
+	$local_cookie = &html_quote($local_cookie);
+	print "<input type='hidden' name='cookie' value=\"$local_cookie\">\n";
 	print "<hr>\n";
 	print "<pre>\n";
 	foreach $h (keys %opt) {
@@ -112,13 +121,15 @@ if ($query =~ s/^\w+://) {
 	($cs,$cte,$body) = &lang_body(&lang_html_quote($body), 0);
 	print "Mime-Version: 1.0\n";
 	if ($boundary) {
+	    $boundary = &html_quote($boundary);
 	    print "Content-Type: multipart/form-data;\n";
 	    print "    boundary=\"$boundary\"\n";
 	} else {
 	    print "Content-Type: text/plain; charset=$cs\n";
 	}
 #	print "Content-Transfer-Encoding: $cte\n";
-	print "User-Agent: $ENV{'SERVER_SOFTWARE'} $prog/$id\n";
+	print "User-Agent: ", &html_quote("$ENV{'SERVER_SOFTWARE'} $prog/$id"),
+		"\n";
 	print "\n";
 	print $body;
 	print "\n" if ($body !~ /\n$/);
@@ -137,10 +148,10 @@ if ($query =~ s/^\w+://) {
 	foreach $h (keys %opt) {
 	    $qh = &html_quote($h);
 	    print "<tr><td>\u$qh:<td>$v{$h}\n";
-	    print "<input type='hidden' name=\"$qh\" value=\"$v\">\n";
+	    print "<input type='hidden' name=\"$qh\" value=\"$v{$h}\">\n";
 	}
 	print "<tr><td colspan=2>\n";
-	print "<textarea cols=40 rows=10 name='body'>\n";
+	print "<textarea cols=40 rows=10 name=body>\n";
 	if ($body) {
 	    print $body;
 	}
@@ -158,7 +169,7 @@ if ($query =~ s/^\w+://) {
 	    print "\r\n";
 	    print "<html><head><title>W3M Mailer</title></head>\n";
 	    print "<body><h1>W3M Mailer: open sendmail failed</h1>\n";
-	    print "<p>$@</p>\n";
+	    print "<p>", &html_quote($@), "</p>\n";
 	    print "</body></html>\n";
 	    exit(0);
 	}
@@ -189,7 +200,7 @@ if ($query =~ s/^\w+://) {
 	    print "\r\n";
 	    print "<html><head><title>W3M Mailer</title></head>\n";
 	    print "<body><h1>W3M Mailer: close sendmail failed</h1>\n";
-	    print "<p>$@</p>\n";
+	    print "<p>", &html_quote($@), "</p>\n";
 	    print "</body></html>\n";
 	}
     }
-- 
cgit v1.2.3