===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 1.1.1.29
retrieving revision 1.1.1.30
diff -u -p -r1.1.1.29 -r1.1.1.30
--- cvsweb/cvsweb.cgi 2002/04/10 20:03:49 1.1.1.29
+++ cvsweb/cvsweb.cgi 2002/05/22 07:00:03 1.1.1.30
@@ -43,7 +43,7 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.90 2002/04/10 19:25:11 knu Exp $
+# $FreeBSD: projects/cvsweb/cvsweb.cgi,v 1.102 2002/05/22 06:51:59 knu Exp $
# $zId: cvsweb.cgi,v 1.112 2001/07/24 13:03:16 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.cgi,v 1.84 2001/10/07 20:50:10 knu Exp $
#
@@ -64,7 +64,8 @@ use vars qw (
@revisions %state %difflines %log %branchpoint @revorder
$prcgi @prcategories $re_prcategories $prkeyword $re_prkeyword $mancgi
$checkoutMagic $doCheckout $scriptname $scriptwhere
- $where $pathinfo $Browser $nofilelinks $maycompress @stickyvars
+ $where $pathinfo $Browser $nofilelinks $maycompress
+ @stickyvars @unsafevars
%funcline_regexp $is_mod_perl
$is_links $is_lynx $is_w3m $is_msie $is_mozilla3 $is_textbased
%input $query $barequery $sortby $bydate $byrev $byauthor
@@ -79,8 +80,10 @@ use vars qw (
$columnHeaderColorSorted $hr_breakable $showfunc $hr_ignwhite
$hr_ignkeysubst $diffcolorHeading $diffcolorEmpty $diffcolorRemove
$diffcolorChange $diffcolorAdd $diffcolorDarkChange $difffontface
- $difffontsize $inputTextSize $mime_types $allow_annotate
- $allow_markup $use_java_script $open_extern_window
+ $difffontsize $inputTextSize $mime_types
+ $allow_annotate $allow_markup
+ $allow_log_extra $allow_dir_extra $allow_source_extra
+ $use_java_script $open_extern_window
$extern_window_width $extern_window_height $edit_option_form
$show_subdir_lastmod $show_log_in_markup $preformat_in_markup $v
$navigationHeaderColor $tableBorderColor $markupLogColor
@@ -89,7 +92,7 @@ use vars qw (
$use_moddate $has_zlib $gzip_open
$allow_tar @tar_options @gzip_options @zip_options @cvs_options
$LOG_FILESEPARATOR $LOG_REVSEPARATOR
- $tmpdir
+ $tmpdir $HTML_DOCTYPE
);
sub printDiffSelect($);
@@ -144,11 +147,11 @@ sub forbidden_module($);
##### Start of Configuration Area ########
delete $ENV{PATH};
-$cvsweb_revision = '2.0.1';
+$cvsweb_revision = '2.0.2';
-use File::Basename;
+use File::Basename ();
-($mydir) = (dirname($0) =~ /(.*)/); # untaint
+($mydir) = (File::Basename::dirname($0) =~ /(.*)/); # untaint
# == EDIT this ==
# Locations to search for user configuration, in order:
@@ -163,6 +166,7 @@ for ("$mydir/cvsweb.conf", '/usr/local/etc/cvsweb/cvsw
# Defaults for configuration variables that shouldn't need
# to be configured..
$allow_version_select = 1;
+$allow_log_extra = 1;
##### End of Configuration Area ########
@@ -181,7 +185,7 @@ $cvstreedefault = $body_tag = $body_tag_for_src = $log
$extern_window_width = $extern_window_height = $edit_option_form =
$show_subdir_lastmod = $show_log_in_markup = $v = $navigationHeaderColor =
$tableBorderColor = $markupLogColor = $tabstop = $use_moddate = $moddate =
- $gzip_open = undef;
+ $gzip_open = $HTML_DOCTYPE = undef;
$tmpdir = defined($ENV{TMPDIR}) ? $ENV{TMPDIR} : "/var/tmp";
$LOG_FILESEPARATOR = q/^={77}$/;
@@ -229,10 +233,13 @@ $LOG_REVSEPARATOR = q/^-{28}$/;
},
);
+$HTML_DOCTYPE =
+ '';
+
##### End of configuration variables #####
-use Time::Local;
-use IPC::Open2;
+use Time::Local ();
+use IPC::Open2 qw(open2);
# Check if the zlib C library interface is installed, and if yes
# we can avoid using the extra gzip process.
@@ -295,9 +302,10 @@ $maycompress =
# their current value) to any link/query string
# you construct
@stickyvars = qw(cvsroot hideattic sortby logsort f only_with_tag);
+@unsafevars = qw(logsort only_with_tag r1 r2 rev sortby tr1 tr2);
if (-f $config) {
- require $config || &fatal(
+ do "$config" or &fatal(
"500 Internal Error",
sprintf(
'Error in loading configuration file: %s
%s ',
@@ -331,6 +339,18 @@ if (defined($query) && $query ne '') {
$input{only_with_tag} = $input{only_on_branch}
if (defined($input{only_on_branch}));
+# Prevent cross-site scripting
+foreach (@unsafevars) {
+ if (defined($input{$_}) && $input{$_} =~ /[^\w\-.]/) {
+ fatal("500 Internal Error", "Malformed query string ($_)");
+ }
+}
+
+if (defined($input{"content-type"})) {
+ fatal("500 Internal Error", "Unsupported content-type")
+ if ($input{"content-type"} !~ /^[-0-9A-Za-z]+\/[-0-9A-Za-z]+$/);
+}
+
$DEFAULTVALUE{'cvsroot'} = $cvstreedefault;
foreach (keys %DEFAULTVALUE) {
@@ -409,21 +429,21 @@ $defaultDiffType = $input{'f'};
$logsort = $input{'logsort'};
-my @tmp = @CVSrepositories;
-my @pair;
+{
+ my @tmp = @CVSrepositories;
+ my @pair;
-while (@pair = splice(@tmp, 0, 2)) {
- my ($key, $val) = @pair;
- my ($descr, $cvsroot) = @$val;
+ while (@pair = splice(@tmp, 0, 2)) {
+ my ($key, $val) = @pair;
+ my ($descr, $cvsroot) = @$val;
- next if !-d $cvsroot;
+ next if !-d $cvsroot;
- $CVSROOTdescr{$key} = $descr;
- $CVSROOT{$key} = $cvsroot;
- push @CVSROOT, $key;
+ $CVSROOTdescr{$key} = $descr;
+ $CVSROOT{$key} = $cvsroot;
+ push @CVSROOT, $key;
+ }
}
-undef @tmp;
-undef @pair;
## Default CVS-Tree
if (!defined($CVSROOT{$cvstreedefault})) {
@@ -462,7 +482,7 @@ my $config_cvstree = "$config-$cvstree";
# Do some special configuration for cvstrees
if (-f $config_cvstree) {
- require $config_cvstree || &fatal(
+ do "$config_cvstree" or &fatal(
"500 Internal Error",
sprintf(
'Error in loading configuration file: %s
%s ',
@@ -592,7 +612,7 @@ if ($input{tarball}) {
###############################
if (-d $fullname) {
my $dh = do { local (*DH); };
- opendir($dh, $fullname) || &fatal("404 Not Found", "$where: $!");
+ opendir($dh, $fullname) or &fatal("404 Not Found", "$where: $!");
my @dir = readdir($dh);
closedir($dh);
my @subLevelFiles = findLastModifiedSubdirs(@dir)
@@ -641,16 +661,12 @@ if (-d $fullname) {
my $infocols = 0;
if ($dirtable) {
- if (defined($tableBorderColor)) {
-
- # Can't this be done by defining the border for the inner table?
- print
- "
";
+ print "\n";
# do not display the other column-headers, if we do not have any files
# with revision information:
if (scalar(%fileinfo)) {
$infocols++;
- printf '