===================================================================
RCS file: /cvs/mandoc/cgi.c,v
retrieving revision 1.83
retrieving revision 1.99
diff -u -p -r1.83 -r1.99
--- mandoc/cgi.c	2014/07/25 16:07:13	1.83
+++ mandoc/cgi.c	2014/10/07 18:20:06	1.99
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.83 2014/07/25 16:07:13 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.99 2014/10/07 18:20:06 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -15,14 +15,16 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
-#ifdef HAVE_CONFIG_H
 #include "config.h"
-#endif
 
+#include <sys/types.h>
+#include <sys/time.h>
+
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -42,7 +44,7 @@ struct	query {
 	char		*manpath; /* desired manual directory */
 	char		*arch; /* architecture */
 	char		*sec; /* manual section */
-	char		*expr; /* unparsed expression string */
+	char		*query; /* unparsed query expression */
 	int		 equal; /* match whole names, not substrings */
 };
 
@@ -55,13 +57,12 @@ struct	req {
 static	void		 catman(const struct req *, const char *);
 static	void		 format(const struct req *, const char *);
 static	void		 html_print(const char *);
-static	void		 html_printquery(const struct req *);
 static	void		 html_putchar(char);
 static	int 		 http_decode(char *);
 static	void		 http_parse(struct req *, const char *);
 static	void		 http_print(const char *);
 static	void 		 http_putchar(char);
-static	void		 http_printquery(const struct req *);
+static	void		 http_printquery(const struct req *, const char *);
 static	void		 pathgen(struct req *);
 static	void		 pg_error_badrequest(const char *);
 static	void		 pg_error_internal(void);
@@ -76,6 +77,10 @@ static	void		 resp_begin_http(int, const char *);
 static	void		 resp_end_html(void);
 static	void		 resp_searchform(const struct req *);
 static	void		 resp_show(const struct req *, const char *);
+static	void		 set_query_attr(char **, char **);
+static	int		 validate_filename(const char *);
+static	int		 validate_manpath(const struct req *, const char *);
+static	int		 validate_urifrag(const char *);
 
 static	const char	 *scriptname; /* CGI script name */
 
@@ -87,14 +92,14 @@ static	const char *const sec_names[] = {
     "All Sections",
     "1 - General Commands",
     "2 - System Calls",
-    "3 - Subroutines",
-    "3p - Perl Subroutines",
-    "4 - Special Files",
+    "3 - Library Functions",
+    "3p - Perl Library",
+    "4 - Device Drivers",
     "5 - File Formats",
     "6 - Games",
-    "7 - Macros and Conventions",
-    "8 - Maintenance Commands",
-    "9 - Kernel Interface"
+    "7 - Miscellaneous Information",
+    "8 - System Manager\'s Manual",
+    "9 - Kernel Developer\'s Manual"
 };
 static	const int sec_MAX = sizeof(sec_names) / sizeof(char *);
 
@@ -141,54 +146,31 @@ html_putchar(char c)
 }
 
 static void
-http_printquery(const struct req *req)
+http_printquery(const struct req *req, const char *sep)
 {
 
-	if (NULL != req->q.manpath) {
-		printf("&manpath=");
-		http_print(req->q.manpath);
+	if (NULL != req->q.query) {
+		printf("query=");
+		http_print(req->q.query);
 	}
+	if (0 == req->q.equal)
+		printf("%sapropos=1", sep);
 	if (NULL != req->q.sec) {
-		printf("&sec=");
+		printf("%ssec=", sep);
 		http_print(req->q.sec);
 	}
 	if (NULL != req->q.arch) {
-		printf("&arch=");
+		printf("%sarch=", sep);
 		http_print(req->q.arch);
 	}
-	if (NULL != req->q.expr) {
-		printf("&query=");
-		http_print(req->q.expr);
+	if (NULL != req->q.manpath &&
+	    strcmp(req->q.manpath, req->p[0])) {
+		printf("%smanpath=", sep);
+		http_print(req->q.manpath);
 	}
-	if (0 == req->q.equal)
-		printf("&apropos=1");
 }
 
 static void
-html_printquery(const struct req *req)
-{
-
-	if (NULL != req->q.manpath) {
-		printf("&amp;manpath=");
-		html_print(req->q.manpath);
-	}
-	if (NULL != req->q.sec) {
-		printf("&amp;sec=");
-		html_print(req->q.sec);
-	}
-	if (NULL != req->q.arch) {
-		printf("&amp;arch=");
-		html_print(req->q.arch);
-	}
-	if (NULL != req->q.expr) {
-		printf("&amp;query=");
-		html_print(req->q.expr);
-	}
-	if (0 == req->q.equal)
-		printf("&amp;apropos=1");
-}
-
-static void
 http_print(const char *p)
 {
 
@@ -242,7 +224,7 @@ http_parse(struct req *req, const char *qs)
 	req->q.manpath	= NULL;
 	req->q.arch	= NULL;
 	req->q.sec	= NULL;
-	req->q.expr	= NULL;
+	req->q.query	= NULL;
 	req->q.equal	= 1;
 
 	key = val = NULL;
@@ -270,7 +252,7 @@ http_parse(struct req *req, const char *qs)
 		/* Handle key-value pairs. */
 
 		if ( ! strcmp(key, "query"))
-			set_query_attr(&req->q.expr, &val);
+			set_query_attr(&req->q.query, &val);
 
 		else if ( ! strcmp(key, "apropos"))
 			req->q.equal = !strcmp(val, "0");
@@ -394,13 +376,10 @@ resp_begin_html(int code, const char *msg)
 
 	resp_begin_http(code, msg);
 
-	printf("<!DOCTYPE HTML PUBLIC "
-	       " \"-//W3C//DTD HTML 4.01//EN\""
-	       " \"http://www.w3.org/TR/html4/strict.dtd\">\n"
+	printf("<!DOCTYPE html>\n"
 	       "<HTML>\n"
 	       "<HEAD>\n"
-	       "<META HTTP-EQUIV=\"Content-Type\""
-	       " CONTENT=\"text/html; charset=utf-8\">\n"
+	       "<META CHARSET=\"UTF-8\" />\n"
 	       "<LINK REL=\"stylesheet\" HREF=\"%s/man-cgi.css\""
 	       " TYPE=\"text/css\" media=\"all\">\n"
 	       "<LINK REL=\"stylesheet\" HREF=\"%s/man.css\""
@@ -437,8 +416,8 @@ resp_searchform(const struct req *req)
 
 	printf(	"<TABLE><TR><TD>\n"
 		"<INPUT TYPE=\"text\" NAME=\"query\" VALUE=\"");
-	if (NULL != req->q.expr)
-		html_print(req->q.expr);
+	if (NULL != req->q.query)
+		html_print(req->q.query);
 	puts("\" SIZE=\"40\">");
 
 	/* Write submission and reset buttons. */
@@ -451,19 +430,19 @@ resp_searchform(const struct req *req)
 	printf(	"</TD><TD>\n"
 		"<INPUT TYPE=\"radio\" ");
 	if (req->q.equal)
-		printf("CHECKED ");
+		printf("CHECKED=\"checked\" ");
 	printf(	"NAME=\"apropos\" ID=\"show\" VALUE=\"0\">\n"
 		"<LABEL FOR=\"show\">Show named manual page</LABEL>\n");
 
 	/* Write section selector. */
 
-	printf(	"</TD></TR><TR><TD>\n"
+	puts(	"</TD></TR><TR><TD>\n"
 		"<SELECT NAME=\"sec\">");
 	for (i = 0; i < sec_MAX; i++) {
 		printf("<OPTION VALUE=\"%s\"", sec_numbers[i]);
 		if (NULL != req->q.sec &&
 		    0 == strcmp(sec_numbers[i], req->q.sec))
-			printf(" SELECTED");
+			printf(" SELECTED=\"selected\"");
 		printf(">%s</OPTION>\n", sec_names[i]);
 	}
 	puts("</SELECT>");
@@ -473,13 +452,13 @@ resp_searchform(const struct req *req)
 	printf(	"<SELECT NAME=\"arch\">\n"
 		"<OPTION VALUE=\"default\"");
 	if (NULL == req->q.arch)
-		printf(" SELECTED");
+		printf(" SELECTED=\"selected\"");
 	puts(">All Architectures</OPTION>");
 	for (i = 0; i < arch_MAX; i++) {
 		printf("<OPTION VALUE=\"%s\"", arch_names[i]);
 		if (NULL != req->q.arch &&
 		    0 == strcmp(arch_names[i], req->q.arch))
-			printf(" SELECTED");
+			printf(" SELECTED=\"selected\"");
 		printf(">%s</OPTION>\n", arch_names[i]);
 	}
 	puts("</SELECT>");
@@ -492,7 +471,7 @@ resp_searchform(const struct req *req)
 			printf("<OPTION ");
 			if (NULL == req->q.manpath ? 0 == i :
 			    0 == strcmp(req->q.manpath, req->p[i]))
-				printf("SELECTED ");
+				printf("SELECTED=\"selected\" ");
 			printf("VALUE=\"");
 			html_print(req->p[i]);
 			printf("\">");
@@ -507,7 +486,7 @@ resp_searchform(const struct req *req)
 	printf(	"</TD><TD>\n"
 		"<INPUT TYPE=\"radio\" ");
 	if (0 == req->q.equal)
-		printf("CHECKED ");
+		printf("CHECKED=\"checked\" ");
 	printf(	"NAME=\"apropos\" ID=\"search\" VALUE=\"1\">\n"
 		"<LABEL FOR=\"search\">Search with apropos query</LABEL>\n");
 
@@ -565,10 +544,10 @@ pg_index(const struct req *req)
 	resp_begin_html(200, NULL);
 	resp_searchform(req);
 	printf("<P>\n"
-	       "This web interface is documented in the "
-	       "<A HREF=\"%s/mandoc/man8/man.cgi.8\">man.cgi</A> "
-	       "manual, and the "
-	       "<A HREF=\"%s/mandoc/man1/apropos.1\">apropos</A> "
+	       "This web interface is documented in the\n"
+	       "<A HREF=\"%s/mandoc/man8/man.cgi.8\">man.cgi</A>\n"
+	       "manual, and the\n"
+	       "<A HREF=\"%s/mandoc/man1/apropos.1\">apropos</A>\n"
 	       "manual explains the query syntax.\n"
 	       "</P>\n",
 	       scriptname, scriptname);
@@ -634,7 +613,7 @@ pg_searchres(const struct req *req, struct manpage *r,
 		printf("Status: 303 See Other\r\n");
 		printf("Location: http://%s%s/%s/%s?",
 		    HTTP_HOST, scriptname, req->q.manpath, r[0].file);
-		http_printquery(req);
+		http_printquery(req, "&");
 		printf("\r\n"
 		     "Content-Type: text/html; charset=utf-8\r\n"
 		     "\r\n");
@@ -651,7 +630,7 @@ pg_searchres(const struct req *req, struct manpage *r,
 		       "<TD CLASS=\"title\">\n"
 		       "<A HREF=\"%s/%s/%s?", 
 		    scriptname, req->q.manpath, r[i].file);
-		html_printquery(req);
+		http_printquery(req, "&amp;");
 		printf("\">");
 		html_print(r[i].names);
 		printf("</A>\n"
@@ -845,12 +824,13 @@ static void
 format(const struct req *req, const char *file)
 {
 	struct mparse	*mp;
-	int		 fd;
 	struct mdoc	*mdoc;
 	struct man	*man;
 	void		*vp;
+	char		*opts;
 	enum mandoclevel rc;
-	char		 opts[PATH_MAX + 128];
+	int		 fd;
+	int		 usepath;
 
 	if (-1 == (fd = open(file, O_RDONLY, 0))) {
 		puts("<P>You specified an invalid manual file.</P>");
@@ -869,10 +849,14 @@ format(const struct req *req, const char *file)
 		return;
 	}
 
-	snprintf(opts, sizeof(opts), "fragment,man=%s?"
-	    "manpath=%s&amp;query=%%N&amp;sec=%%S&amp;arch=%s",
-	    scriptname, req->q.manpath,
-	    req->q.arch ? req->q.arch : "");
+	usepath = strcmp(req->q.manpath, req->p[0]);
+	mandoc_asprintf(&opts,
+	    "fragment,man=%s?query=%%N&sec=%%S%s%s%s%s",
+	    scriptname,
+	    req->q.arch	? "&arch="       : "",
+	    req->q.arch	? req->q.arch    : "",
+	    usepath	? "&manpath="    : "",
+	    usepath	? req->q.manpath : "");
 
 	mparse_result(mp, &mdoc, &man, NULL);
 	if (NULL == man && NULL == mdoc) {
@@ -892,6 +876,7 @@ format(const struct req *req, const char *file)
 
 	html_free(vp);
 	mparse_free(mp);
+	free(opts);
 }
 
 static void
@@ -908,20 +893,23 @@ resp_show(const struct req *req, const char *file)
 }
 
 static void
-pg_show(struct req *req, const char *path)
+pg_show(struct req *req, const char *fullpath)
 {
-	char		*sub;
+	char		*manpath;
+	const char	*file;
 
-	if (NULL == path || NULL == (sub = strchr(path, '/'))) {
+	if ((file = strchr(fullpath, '/')) == NULL) {
 		pg_error_badrequest(
 		    "You did not specify a page to show.");
 		return;
 	} 
-	*sub++ = '\0';
+	manpath = mandoc_strndup(fullpath, file - fullpath);
+	file++;
 
-	if ( ! validate_manpath(req, path)) {
+	if ( ! validate_manpath(req, manpath)) {
 		pg_error_badrequest(
 		    "You specified an invalid manpath.");
+		free(manpath);
 		return;
 	}
 
@@ -931,27 +919,29 @@ pg_show(struct req *req, const char *path)
 	 * relative to the manpath root.
 	 */
 
-	if (-1 == chdir(path)) {
+	if (chdir(manpath) == -1) {
 		fprintf(stderr, "chdir %s: %s\n",
-		    path, strerror(errno));
+		    manpath, strerror(errno));
 		pg_error_internal();
+		free(manpath);
 		return;
 	}
 
-	if ( ! validate_filename(sub)) {
+	if (strcmp(manpath, "mandoc")) {
+		free(req->q.manpath);
+		req->q.manpath = manpath;
+	} else
+		free(manpath);
+
+	if ( ! validate_filename(file)) {
 		pg_error_badrequest(
 		    "You specified an invalid manual file.");
 		return;
 	}
 
-	if (strcmp(path, "mandoc")) {
-		free(req->q.manpath);
-		req->q.manpath = mandoc_strdup(path);
-	}
-
 	resp_begin_html(200, NULL);
 	resp_searchform(req);
-	resp_show(req, sub);
+	resp_show(req, file);
 	resp_end_html();
 }
 
@@ -961,10 +951,10 @@ pg_search(const struct req *req)
 	struct mansearch	  search;
 	struct manpaths		  paths;
 	struct manpage		 *res;
-	char			**cp;
-	const char		 *ep, *start;
+	char			**argv;
+	char			 *query, *rp, *wp;
 	size_t			  ressz;
-	int			  i, sz;
+	int			  argc;
 
 	/*
 	 * Begin by chdir()ing into the root of the manpath.
@@ -981,54 +971,53 @@ pg_search(const struct req *req)
 
 	search.arch = req->q.arch;
 	search.sec = req->q.sec;
-	search.deftype = req->q.equal ? TYPE_Nm : (TYPE_Nm | TYPE_Nd);
-	search.flags = req->q.equal ? MANSEARCH_MAN : 0;
+	search.outkey = "Nd";
+	search.argmode = req->q.equal ? ARG_NAME : ARG_EXPR;
 
 	paths.sz = 1;
 	paths.paths = mandoc_malloc(sizeof(char *));
 	paths.paths[0] = mandoc_strdup(".");
 
 	/*
-	 * Poor man's tokenisation: just break apart by spaces.
-	 * Yes, this is half-ass.  But it works for now.
+	 * Break apart at spaces with backslash-escaping.
 	 */
 
-	ep = req->q.expr;
-	while (ep && isspace((unsigned char)*ep))
-		ep++;
-
-	sz = 0;
-	cp = NULL;
-	while (ep && '\0' != *ep) {
-		cp = mandoc_reallocarray(cp, sz + 1, sizeof(char *));
-		start = ep;
-		while ('\0' != *ep && ! isspace((unsigned char)*ep))
-			ep++;
-		cp[sz] = mandoc_malloc((ep - start) + 1);
-		memcpy(cp[sz], start, ep - start);
-		cp[sz++][ep - start] = '\0';
-		while (isspace((unsigned char)*ep))
-			ep++;
+	argc = 0;
+	argv = NULL;
+	rp = query = mandoc_strdup(req->q.query);
+	for (;;) {
+		while (isspace((unsigned char)*rp))
+			rp++;
+		if (*rp == '\0')
+			break;
+		argv = mandoc_reallocarray(argv, argc + 1, sizeof(char *));
+		argv[argc++] = wp = rp;
+		for (;;) {
+			if (isspace((unsigned char)*rp)) {
+				*wp = '\0';
+				rp++;
+				break;
+			}
+			if (rp[0] == '\\' && rp[1] != '\0')
+				rp++;
+			if (wp != rp)
+				*wp = *rp;
+			if (*rp == '\0')
+				break;
+			wp++;
+			rp++;
+		}
 	}
 
-	if (0 == mansearch(&search, &paths, sz, cp, "Nd", &res, &ressz))
+	if (0 == mansearch(&search, &paths, argc, argv, &res, &ressz))
 		pg_noresult(req, "You entered an invalid query.");
 	else if (0 == ressz)
 		pg_noresult(req, "No results found.");
 	else
 		pg_searchres(req, res, ressz);
 
-	for (i = 0; i < sz; i++)
-		free(cp[i]);
-	free(cp);
-
-	for (i = 0; i < (int)ressz; i++) {
-		free(res[i].file);
-		free(res[i].names);
-		free(res[i].output);
-	}
-	free(res);
-
+	free(query);
+	mansearch_free(res, ressz);
 	free(paths.paths[0]);
 	free(paths.paths);
 }
@@ -1037,10 +1026,23 @@ int
 main(void)
 {
 	struct req	 req;
+	struct itimerval itimer;
 	const char	*path;
 	const char	*querystring;
 	int		 i;
 
+	/* Poor man's ReDoS mitigation. */
+
+	itimer.it_value.tv_sec = 2;
+	itimer.it_value.tv_usec = 0;
+	itimer.it_interval.tv_sec = 2;
+	itimer.it_interval.tv_usec = 0;
+	if (setitimer(ITIMER_VIRTUAL, &itimer, NULL) == -1) {
+		fprintf(stderr, "setitimer: %s\n", strerror(errno));
+		pg_error_internal();
+		return(EXIT_FAILURE);
+	}
+
 	/* Scan our run-time environment. */
 
 	if (NULL == (scriptname = getenv("SCRIPT_NAME")))
@@ -1074,7 +1076,8 @@ main(void)
 	if (NULL != (querystring = getenv("QUERY_STRING")))
 		http_parse(&req, querystring);
 
-	if ( ! validate_manpath(&req, req.q.manpath)) {
+	if ( ! (NULL == req.q.manpath ||
+	    validate_manpath(&req, req.q.manpath))) {
 		pg_error_badrequest(
 		    "You specified an invalid manpath.");
 		return(EXIT_FAILURE);
@@ -1096,7 +1099,7 @@ main(void)
 
 	if ('\0' != *path)
 		pg_show(&req, path);
-	else if (NULL != req.q.expr)
+	else if (NULL != req.q.query)
 		pg_search(&req);
 	else
 		pg_index(&req);
@@ -1104,7 +1107,7 @@ main(void)
 	free(req.q.manpath);
 	free(req.q.arch);
 	free(req.q.sec);
-	free(req.q.expr);
+	free(req.q.query);
 	for (i = 0; i < (int)req.psz; i++)
 		free(req.p[i]);
 	free(req.p);