Author: jfs Date: Thu Jul 23 20:44:11 2015 New Revision: 10976 URL: http://svn.debian.org/wsvn/?sc=1&rev=10976 Log: Add a sanitisation function to clean all non-expected characters from the user input. This should prevent XSS attacks as the one found by Gary McAdam
(see https://lists.debian.org/debian-www/2015/07/msg00035.html) Modified: man-cgi/man.cgi Modified: man-cgi/man.cgi URL: http://svn.debian.org/wsvn/man-cgi/man.cgi?rev=10976&op=diff ============================================================================== --- man-cgi/man.cgi (original) +++ man-cgi/man.cgi Thu Jul 23 20:44:11 2015 @@ -323,11 +323,7 @@ return &man($1, $2); } - # remove trailing spaces for dumb users - $form{'query'} =~ s/\s+$//; - $form{'query'} =~ s/^\s+//; - - $name = $query = $form{'query'}; + $name = $query = clean_input($form{'query'}); $section = $form{'sektion'}; $apropos = $form{'apropos'}; $alttitle = $form{'title'}; @@ -1524,6 +1520,21 @@ close(I); } +sub clean_input { + local($input) = @_; + + # remove trailing spaces for dumb users + $input =~ s/\s+$//; + $input =~ s/^\s+//; + + # Manpage names can only contain alphanumerical + # characters and a limited number of special characters + $input =~ s/[^A-Za-z0-9 :_\+\-\.]//; + + return $input; +} + + # CGI script must die with error status 0 sub mydie { local($message) = @_; -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
