diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-07-22 18:14:06 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2014-07-22 18:14:06 +0000 |
commit | db16eddce6318d91b2e043e28bbbecb4a6edef5f (patch) | |
tree | c25308d1058f86d949b38b9a10c12dba1f78f604 /usr.bin/mandoc/man.cgi.8 | |
parent | 5c4160212c6bce9b70ebc7410962bfa636d6aac4 (diff) |
Security fix to prevent XSS attacks:
Restrict the character set of strings passed into html_alloc(),
in particular architecture names that come from the QUERY_STRING,
but also SCRIPT_NAME and manpath.conf content for additional safety,
and bail out safely on violations.
Issue reported by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Diffstat (limited to 'usr.bin/mandoc/man.cgi.8')
-rw-r--r-- | usr.bin/mandoc/man.cgi.8 | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/usr.bin/mandoc/man.cgi.8 b/usr.bin/mandoc/man.cgi.8 index ee860d6540e..b6260874ebf 100644 --- a/usr.bin/mandoc/man.cgi.8 +++ b/usr.bin/mandoc/man.cgi.8 @@ -1,4 +1,4 @@ -.\" $Id: man.cgi.8,v 1.6 2014/07/21 15:44:22 schwarze Exp $ +.\" $Id: man.cgi.8,v 1.7 2014/07/22 18:14:05 schwarze Exp $ .\" .\" Copyright (c) 2014 Ingo Schwarze <schwarze@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 21 2014 $ +.Dd $Mdocdate: July 22 2014 $ .Dt MAN.CGI 8 .Os .Sh NAME @@ -267,6 +267,34 @@ For backward compatibility with the traditional is supported as an alias for .Cm sec . .El +.Ss Restricted character set +For security reasons, in particular to prevent cross site scripting +attacks, some strings used by +.Nm +can only contain the following characters: +.Pp +.Bl -dash -compact -offset indent +.It +lower case and upper case ASCII letters +.It +the ten decimal digits +.It +the dash +.Pq Sq - +.It +the dot +.Pq Sq \&. +.It +the slash +.Pq Sq / +.It +the underscore +.Pq Sq _ +.El +.Pp +In particular, this applies to the +.Ev SCRIPT_NAME , +to all manpaths, and to all architecture names. .Sh ENVIRONMENT The web server may pass the following CGI variables to .Nm : @@ -293,6 +321,10 @@ binary relative to the server root, usually .Pa /cgi-bin/man.cgi . This is used for generating URIs to be embedded in generated HTML code and HTTP headers. +If this contains any character not contained in the +.Sx Restricted character set , +.Nm +reports an internal server error and exits without doing anything. .El .Sh FILES .Bl -tag -width Ds @@ -332,6 +364,12 @@ Manual pages documenting itself, linked from the index page. .It Pa /man/manpath.conf The list of available manpaths, one per line. +If any of the lines in this file contains a slash +.Pq Sq / +or any character not contained in the +.Sx Restricted character set , +.Nm +reports an internal server error and exits without doing anything. .It Pa /man/OpenBSD-current/man1/mandoc.1 An example .Xr mdoc 7 |