r10976 - /man-cgi/man.cgi
Author: jfs
Date: Thu Jul 23 20:44:11 2015
New Revision: 10976
URL: http://svn.debian.org/wsvn/?sc=1&rev=10976
Log:
Add a sanitisation function to clean all non-expected characters from the user
input. This should prevent XSS attacks as the one found by Gary McAdam
(see https://lists.debian.org/debian-www/2015/07/msg00035.html)
Modified:
man-cgi/man.cgi
Modified: man-cgi/man.cgi
URL: http://svn.debian.org/wsvn/man-cgi/man.cgi?rev=10976&op=diff
==============================================================================
--- man-cgi/man.cgi (original)
+++ man-cgi/man.cgi Thu Jul 23 20:44:11 2015
@@ -323,11 +323,7 @@
return &man($1, $2);
}
- # remove trailing spaces for dumb users
- $form{'query'} =~ s/\s+$//;
- $form{'query'} =~ s/^\s+//;
-
- $name = $query = $form{'query'};
+ $name = $query = clean_input($form{'query'});
$section = $form{'sektion'};
$apropos = $form{'apropos'};
$alttitle = $form{'title'};
@@ -1524,6 +1520,21 @@
close(I);
}
+sub clean_input {
+ local($input) = @_;
+
+ # remove trailing spaces for dumb users
+ $input =~ s/\s+$//;
+ $input =~ s/^\s+//;
+
+ # Manpage names can only contain alphanumerical
+ # characters and a limited number of special characters
+ $input =~ s/[^A-Za-z0-9 :_\+\-\.]//;
+
+ return $input;
+}
+
+
# CGI script must die with error status 0
sub mydie {
local($message) = @_;
Reply to: