CVSROOT: /cvs Module name: src Changes by: [email protected] 2014/07/22 12:14:05
Modified files:
usr.bin/mandoc : cgi.c man.cgi.8
Log message:
Security fix to prevent XSS attacks:
Restrict the character set of strings passed into html_alloc(),
in particular architecture names that come from the QUERY_STRING,
but also SCRIPT_NAME and manpath.conf content for additional safety,
and bail out safely on violations.
Issue reported by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
