element. +.It Dv HTTP_HOST +The FQDN of the (possibly virtual) host the HTTP server is running on. +This is used for +.Ic Location: +headers in HTTP 303 responses. +.It Dv MAN_DIR +A file system path to the .Nm -data directory to be used instead of -.Pa /var/www/man , -relative to the web server +data directory relative to the web server .Xr chroot 2 -directory, to be specified without a trailing slash. -This is prepended to the manpath when opening +directory, to be specified with a leading slash and without a trailing slash. +It needs to have at least one component; the root directory cannot be used +for this purpose. +The files +.Pa manpath.conf , +.Pa header.html , +and +.Pa footer.html +are looked up in this directory. +It is also prepended to the manpath when opening .Xr mandoc.db 5 and manual page files. +.It Dv SCRIPT_NAME +The initial component of URIs, to be specified without leading +and trailing slashes. +It can be empty. .El .Pp After editing @@ -208,13 +220,16 @@ run .Pp .Dl make man.cgi .Pp -and copy the files to the proper locations. -Reading the -.Cm installcgi -target in the -.Pa Makefile -can help with that, but do not run it without carefully checking it -because the directory layouts of web servers vary greatly. +and copy the resulting binary to the proper location, +for example using the command: +.Pp +.Dl make installcgi +.Pp +In addition to that, make sure the default manpath contains the files +.Pa man1/apropos.1 +and +.Pa man8/man.cgi.8 , +or the documentation links at the bottom of the index page will not work. .Ss URI interface .Nm uniform resource identifiers are not needed for interactive use, @@ -226,14 +241,22 @@ The .Cm http:// protocol specifier. .It -The host name and a following slash. +The host name. .It -The path to the program, normally -.Pa cgi-bin/man.cgi/ . +The +.Dv SCRIPT_NAME , +preceded by a slash unless empty. .It To show a single page, a slash, the manpath, another slash, and the name of the requested file, for example .Pa /OpenBSD-current/man1/mandoc.1 . +This can be abbreviated according to the following syntax: +.Sm off +.Op / Ar manpath +.Op / Cm man Ar sec +.Op / Ar arch +.Pf / Ar name Op \&. Ar sec +.Sm on .It For searches, a query string starting with a question mark and consisting of @@ -262,15 +285,45 @@ For backward compatibility with the traditional is supported as an alias for .Cm sec . .El +.Ss Restricted character set +For security reasons, in particular to prevent cross site scripting +attacks, some strings used by +.Nm +can only contain the following characters: +.Pp +.Bl -dash -compact -offset indent +.It +lower case and upper case ASCII letters +.It +the ten decimal digits +.It +the dash +.Pq Sq - +.It +the dot +.Pq Sq \&. +.It +the slash +.Pq Sq / +.It +the underscore +.Pq Sq _ +.El +.Pp +In particular, this applies to all manpaths and architecture names. .Sh ENVIRONMENT The web server may pass the following CGI variables to .Nm : .Bl -tag -width Ds -.It Ev HTTP_HOST -The FQDN of the (possibly virtual) host the HTTP server is running on. -This is used for -.Ic Location: -headers in HTTP 303 responses. +.It Ev SCRIPT_NAME +The initial part of the URI passed from the client to the server, +starting after the server's host name and ending before +.Ev PATH_INFO . +This is ignored by +.Nm . +When constructing URIs for links and redirections, the +.Dv SCRIPT_NAME +preprocessor constant is used instead. .It Ev PATH_INFO The final part of the URI path passed from the client to the server, starting after the @@ -279,20 +332,13 @@ and ending before the .Ev QUERY_STRING . It is used by the .Cm show -page to aquire the manpath and filename it needs. +page to acquire the manpath and filename it needs. .It Ev QUERY_STRING The HTTP query string passed from the client to the server. It is the final part of the URI, after the question mark. It is used by the .Cm search page to acquire the named parameters it needs. -.It Ev SCRIPT_NAME -The path to the -.Nm -binary relative to the server root, usually -.Pa /cgi-bin/man.cgi . -This is used for generating URIs to be embedded -in generated HTML code and HTTP headers. .El .Sh FILES .Bl -tag -width Ds @@ -302,36 +348,44 @@ Default web server directory. All the following paths are specified relative to this directory. .It Pa /cgi-bin/man.cgi -The path to the +The usual file system path to the .Nm -program relative to the server root. -Can be overridden by -.Ev SCRIPT_NAME . +program inside the web server +.Xr chroot 2 +directory. +A different name can be chosen, but in any case, it needs to be configured in +.Xr httpd.conf 5 . .It Pa /htdocs -The path to the server document root relative to the server root. +The file system path to the server document root directory +relative to the server +.Xr chroot 2 +directory. This is part of the web server configuration and not specific to .Nm . -.It Pa /htdocs/man-cgi.css -A style sheet for general -.Nm -styling, referenced from each generated HTML page. -.It Pa /htdocs/man.css +.It Pa /htdocs/mandoc.css A style sheet for .Xr mandoc 1 -HTML styling, referenced from each generated HTML page after -.Pa man-cgi.css . +HTML styling, referenced from each generated HTML page. .It Pa /man Default .Nm data directory containing all the manual trees. Can be overridden by -.Ev MAN_DIR . -.It Pa /man/mandoc/man1/apropos.1 , /man/mandoc/man8/man.cgi.8 -Manual pages documenting -.Nm -itself, linked from the index page. +.Dv MAN_DIR . .It Pa /man/manpath.conf The list of available manpaths, one per line. +If any of the lines in this file contains a slash +.Pq Sq / +or any character not contained in the +.Sx Restricted character set , +.Nm +reports an internal server error and exits without doing anything. +.It Pa /man/header.html +An optional file containing static HTML code to be inserted right +after opening the <BODY> element. +.It Pa /man/footer.html +An optional file containing static HTML code to be inserted right +before closing the <BODY> element. .It Pa /man/OpenBSD-current/man1/mandoc.1 An example .Xr mdoc 7 @@ -357,15 +411,16 @@ A version of based on .Xr mandoc 1 first appeared in mdocml-1.12.1 (March 2012). -The current SQLite3-based version first appeared in -.Ox 5.6 . +The current +.Xr mandoc.db 5 +database format first appeared in +.Ox 6.1 . .Sh AUTHORS .An -nosplit The .Nm program was written by .An Kristaps Dzonsons Aq Mt kristaps@bsd.lv -and ported to the SQLite3-based -.Xr mandoc.db 5 -backend by -.An Ingo Schwarze Aq Mt schwarze@openbsd.org . +and is maintained by +.An Ingo Schwarze Aq Mt schwarze@openbsd.org , +who also designed and implemented the database format.

=================================================================== RCS file: /cvs/mandoc/man.cgi.8,v retrieving revision 1.6 retrieving revision 1.21 diff -u -p -r1.6 -r1.21 --- mandoc/man.cgi.8 2014/07/13 15:38:36 1.6 +++ mandoc/man.cgi.8 2017/03/17 12:56:57 1.21 @@ -1,6 +1,6 @@ -.\" $Id: man.cgi.8,v 1.6 2014/07/13 15:38:36 schwarze Exp $ +.\" $Id: man.cgi.8,v 1.21 2017/03/17 12:56:57 schwarze Exp $ .\" -.\" Copyright (c) 2014 Ingo Schwarze +.\" Copyright (c) 2014, 2015, 2016 Ingo Schwarze .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 13 2014 $ +.Dd $Mdocdate: March 17 2017 $ .Dt MAN.CGI 8 .Os .Sh NAME @@ -26,9 +26,9 @@ The CGI program searches for manual pages on a WWW server and displays them to HTTP clients, providing functionality equivalent to the -.Xr apropos 1 -and .Xr man 1 +and +.Xr apropos 1 utilities. It can use multiple manual trees in parallel. .Ss HTML search interface @@ -43,22 +43,23 @@ either a name of a manual page or an using the syntax described in the .Xr apropos 1 manual; filling this in is required for each search. +.Pp +The expression is broken into words at whitespace. +Whitespace characters and backslashes can be escaped +by prepending a backslash. +The effect of prepending a backslash to another character is undefined; +in the current implementation, it has no effect. .It A -.Dq Submit -button to send a search request from the client to the server. -.It -A -.Dq Reset -button to undo any changes to the input boxes and the dropdown menus -and reset them to the values contained in the -.Ev QUERY_STRING . -.It -Radio buttons to select pages either by name like in .Xr man 1 -or using +submit button. +The string in the input box is interpreted as the name of a manual page. +.It +An .Xr apropos 1 -queries. +submit button. +The string in the input box is interpreted as a search +.Ar expression . .It A dropdown menu to optionally select a manual section. If one is provided, it has the same effect as the @@ -155,7 +156,8 @@ database inside each manpath. Configure your web server to execute CGI programs located in .Pa /cgi-bin . When using -.Xr nginx 8 , +.Ox +.Xr httpd 8 , the .Xr slowcgi 8 proxy daemon is needed to translate FastCGI requests to plain old CGI. @@ -174,32 +176,42 @@ Only useful for running on www.openbsd.org to deal wit .Qq "manpath=OpenBSD " where the blank character has to be translated to a hyphen. When compiling for other sites, this definition can be deleted. -.It Ev CSS_DIR -An optional path to the directory containing the CSS files, +.It Dv CSS_DIR +An optional file system path to the directory containing the file +.Pa mandoc.css , to be specified relative to the server's document root, and to be specified without a trailing slash. -When not specified, the CSS files -are assumed to be in the document root. +When empty, the CSS file is assumed to be in the document root. +Otherwise, a leading slash is needed. This is used in generated HTML code. -.It Ev CUSTOMIZE_BEGIN -A HTML string to be inserted right after opening the -.Aq BODY -element. -.It Ev CUSTOMIZE_TITLE -An ASCII string to be used for the HTML -.Aq TITLE -element. -.It Ev MAN_DIR -A path to the +.It Dv CUSTOMIZE_TITLE +An ASCII string to be used for the HTML element. +.It Dv HTTP_HOST +The FQDN of the (possibly virtual) host the HTTP server is running on. +This is used for +.Ic Location: +headers in HTTP 303 responses. +.It Dv MAN_DIR +A file system path to the .Nm -data directory to be used instead of -.Pa /var/www/man , -relative to the web server +data directory relative to the web server .Xr chroot 2 -directory, to be specified without a trailing slash. -This is prepended to the manpath when opening +directory, to be specified with a leading slash and without a trailing slash. +It needs to have at least one component; the root directory cannot be used +for this purpose. +The files +.Pa manpath.conf , +.Pa header.html , +and +.Pa footer.html +are looked up in this directory. +It is also prepended to the manpath when opening .Xr mandoc.db 5 and manual page files. +.It Dv SCRIPT_NAME +The initial component of URIs, to be specified without leading +and trailing slashes. +It can be empty. .El .Pp After editing @@ -208,13 +220,16 @@ run .Pp .Dl make man.cgi .Pp -and copy the files to the proper locations. -Reading the -.Cm installcgi -target in the -.Pa Makefile -can help with that, but do not run it without carefully checking it -because the directory layouts of web servers vary greatly. +and copy the resulting binary to the proper location, +for example using the command: +.Pp +.Dl make installcgi +.Pp +In addition to that, make sure the default manpath contains the files +.Pa man1/apropos.1 +and +.Pa man8/man.cgi.8 , +or the documentation links at the bottom of the index page will not work. .Ss URI interface .Nm uniform resource identifiers are not needed for interactive use, @@ -226,14 +241,22 @@ The .Cm http:// protocol specifier. .It -The host name and a following slash. +The host name. .It -The path to the program, normally -.Pa cgi-bin/man.cgi/ . +The +.Dv SCRIPT_NAME , +preceded by a slash unless empty. .It To show a single page, a slash, the manpath, another slash, and the name of the requested file, for example .Pa /OpenBSD-current/man1/mandoc.1 . +This can be abbreviated according to the following syntax: +.Sm off +.Op / Ar manpath +.Op / Cm man Ar sec +.Op / Ar arch +.Pf / Ar name Op \&. Ar sec +.Sm on .It For searches, a query string starting with a question mark and consisting of @@ -262,15 +285,45 @@ For backward compatibility with the traditional is supported as an alias for .Cm sec . .El +.Ss Restricted character set +For security reasons, in particular to prevent cross site scripting +attacks, some strings used by +.Nm +can only contain the following characters: +.Pp +.Bl -dash -compact -offset indent +.It +lower case and upper case ASCII letters +.It +the ten decimal digits +.It +the dash +.Pq Sq - +.It +the dot +.Pq Sq \&. +.It +the slash +.Pq Sq / +.It +the underscore +.Pq Sq _ +.El +.Pp +In particular, this applies to all manpaths and architecture names. .Sh ENVIRONMENT The web server may pass the following CGI variables to .Nm : .Bl -tag -width Ds -.It Ev HTTP_HOST -The FQDN of the (possibly virtual) host the HTTP server is running on. -This is used for -.Ic Location: -headers in HTTP 303 responses. +.It Ev SCRIPT_NAME +The initial part of the URI passed from the client to the server, +starting after the server's host name and ending before +.Ev PATH_INFO . +This is ignored by +.Nm . +When constructing URIs for links and redirections, the +.Dv SCRIPT_NAME +preprocessor constant is used instead. .It Ev PATH_INFO The final part of the URI path passed from the client to the server, starting after the @@ -279,20 +332,13 @@ and ending before the .Ev QUERY_STRING . It is used by the .Cm show -page to aquire the manpath and filename it needs. +page to acquire the manpath and filename it needs. .It Ev QUERY_STRING The HTTP query string passed from the client to the server. It is the final part of the URI, after the question mark. It is used by the .Cm search page to acquire the named parameters it needs. -.It Ev SCRIPT_NAME -The path to the -.Nm -binary relative to the server root, usually -.Pa /cgi-bin/man.cgi . -This is used for generating URIs to be embedded -in generated HTML code and HTTP headers. .El .Sh FILES .Bl -tag -width Ds @@ -302,36 +348,44 @@ Default web server directory. All the following paths are specified relative to this directory. .It Pa /cgi-bin/man.cgi -The path to the +The usual file system path to the .Nm -program relative to the server root. -Can be overridden by -.Ev SCRIPT_NAME . +program inside the web server +.Xr chroot 2 +directory. +A different name can be chosen, but in any case, it needs to be configured in +.Xr httpd.conf 5 . .It Pa /htdocs -The path to the server document root relative to the server root. +The file system path to the server document root directory +relative to the server +.Xr chroot 2 +directory. This is part of the web server configuration and not specific to .Nm . -.It Pa /htdocs/man-cgi.css -A style sheet for general -.Nm -styling, referenced from each generated HTML page. -.It Pa /htdocs/man.css +.It Pa /htdocs/mandoc.css A style sheet for .Xr mandoc 1 -HTML styling, referenced from each generated HTML page after -.Pa man-cgi.css . +HTML styling, referenced from each generated HTML page. .It Pa /man Default .Nm data directory containing all the manual trees. Can be overridden by -.Ev MAN_DIR . -.It Pa /man/mandoc/man1/apropos.1 , /man/mandoc/man8/man.cgi.8 -Manual pages documenting -.Nm -itself, linked from the index page. +.Dv MAN_DIR . .It Pa /man/manpath.conf The list of available manpaths, one per line. +If any of the lines in this file contains a slash +.Pq Sq / +or any character not contained in the +.Sx Restricted character set , +.Nm +reports an internal server error and exits without doing anything. +.It Pa /man/header.html +An optional file containing static HTML code to be inserted right +after opening the <BODY> element. +.It Pa /man/footer.html +An optional file containing static HTML code to be inserted right +before closing the <BODY> element. .It Pa /man/OpenBSD-current/man1/mandoc.1 An example .Xr mdoc 7 @@ -357,15 +411,16 @@ A version of based on .Xr mandoc 1 first appeared in mdocml-1.12.1 (March 2012). -The current SQLite3-based version first appeared in -.Ox 5.6 . +The current +.Xr mandoc.db 5 +database format first appeared in +.Ox 6.1 . .Sh AUTHORS .An -nosplit The .Nm program was written by .An Kristaps Dzonsons Aq Mt kristaps@bsd.lv -and ported to the SQLite3-based -.Xr mandoc.db 5 -backend by -.An Ingo Schwarze Aq Mt schwarze@openbsd.org . +and is maintained by +.An Ingo Schwarze Aq Mt schwarze@openbsd.org , +who also designed and implemented the database format.