===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 4.8
retrieving revision 4.13
diff -u -p -r4.8 -r4.13
--- cvsweb/cvsweb.cgi 2019/11/09 09:41:07 4.8
+++ cvsweb/cvsweb.cgi 2019/11/11 12:40:12 4.13
@@ -1,5 +1,5 @@
#!/usr/bin/perl
-# $Id: cvsweb.cgi,v 4.8 2019/11/09 09:41:07 schwarze Exp $
+# $Id: cvsweb.cgi,v 4.13 2019/11/11 12:40:12 schwarze Exp $
# $knu: cvsweb.cgi,v 1.299 2010/11/13 16:37:18 simon
#
# cvsweb - a CGI interface to CVS trees.
@@ -86,6 +86,7 @@ use vars qw (
$allow_enscript @enscript_options %enscript_types
);
+require Compress::Zlib;
use Cwd qw(abs_path);
use File::Path qw(rmtree);
use File::Spec::Functions qw(canonpath catdir catfile curdir devnull rootdir
@@ -102,7 +103,6 @@ use constant CVSWEBMARKUP => qr{^text/(x-cvsweb|vnd\.v
use constant LOG_FILESEPR => qr/^={77}$/o;
use constant LOG_REVSEPR => qr/^-{28}$/o;
-use constant HAS_ZLIB => eval { require Compress::Zlib; };
use constant HAS_EDIFF => eval { require String::Ediff; };
# -----------------------------------------------------------------------------
@@ -317,7 +317,7 @@ $maycompress = (
&& $ENV{HTTP_ACCEPT_ENCODING} =~ /gzip/)
|| $is_mozilla3)
&& !$is_msie
- && !(defined($ENV{MOD_PERL}) && !HAS_ZLIB)
+ && !(defined($ENV{MOD_PERL}))
);
# Parameters that will be sticky in all constructed links/query strings.
@@ -358,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
$p =~ y/+/ /;
my ($key, $val) = split(/=/, $p, 2);
next unless defined($key);
- $val = 1 unless defined($val);
- ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
- ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+ $key = uri_unescape($key);
+ $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in query parameter "%s"', $1, $key);
+ if (defined $val) {
+ $val = uri_unescape($val);
+ $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+ $1, $value, $key);
+ } else {
+ $val = 1;
+ }
$query{$key} = $val;
}
}
@@ -757,6 +765,7 @@ if ($input{tarball}) {
}
# Clean up.
+ chdir("..");
rmtree($tmpexportdir);
&fatal(@fatal) if @fatal;
@@ -4234,12 +4243,10 @@ sub http_header(;$$)
push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
if $moddate;
push(@headers, 'Content-Type: ' . $content_type);
+ push(@headers, "Content-Security-Policy: default-src 'none'; " .
+ "img-src 'self'; style-src 'unsafe-inline'");
if ($allow_compress && $maycompress) {
- if (HAS_ZLIB
- || (defined($CMD{gzip}) && open(GZIP, "| $CMD{gzip} -1 -c")))
- {
-
push(@headers, 'Content-Encoding: gzip');
push(@headers, 'Vary: Accept-Encoding'); # RFC 2616, 14.44
print join("\r\n", @headers) . "\r\n\r\n";
@@ -4247,18 +4254,9 @@ sub http_header(;$$)
$| = 1;
$| = 0; # Flush header output.
- tie(*GZIP, __PACKAGE__, \*STDOUT) if HAS_ZLIB;
+ tie(*GZIP, __PACKAGE__, \*STDOUT);
select(GZIP);
$gzip_open = 1;
-
- } else {
-
- print join("\r\n", @headers) . "\r\n\r\n";
- printf
- 'Unable to find gzip binary in the $command_path (%s
) to compress output
',
- htmlquote(join(':', @command_path));
- }
-
} else {
print join("\r\n", @headers) . "\r\n\r\n";
}
@@ -4426,7 +4424,7 @@ sub TIEHANDLE
crc => 0,
len => 0,
};
- my ($header) = pack("c10",
+ my ($header) = pack("C10",
MAGIC1, MAGIC2, Compress::Zlib::Z_DEFLATED(),
0, 0, 0, 0, 0, 0, OSCODE);
print {$o->{handle}} $header;