CVSROOT: /cvs
Module name: src
Changes by: schwa...@cvs.openbsd.org 2014/07/19 05:35:09
Modified files:
usr.bin/mandoc : cgi.c
Log message:
Security fix:
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".
While here, correct the condition discarding an initial "./".
Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
