===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 4.2
retrieving revision 4.12
diff -u -p -r4.2 -r4.12
--- cvsweb/cvsweb.cgi	2019/11/09 09:10:05	4.2
+++ cvsweb/cvsweb.cgi	2019/11/10 14:55:42	4.12
@@ -1,5 +1,5 @@
-#!/usr/bin/perl -T
-# $Id: cvsweb.cgi,v 4.2 2019/11/09 09:10:05 schwarze Exp $
+#!/usr/bin/perl
+# $Id: cvsweb.cgi,v 4.12 2019/11/10 14:55:42 schwarze Exp $
 # $knu: cvsweb.cgi,v 1.299 2010/11/13 16:37:18 simon
 #
 # cvsweb - a CGI interface to CVS trees.
@@ -50,7 +50,6 @@
 require 5.006;
 
 use strict;
-
 use warnings;
 use filetest qw(access);
 
@@ -88,7 +87,6 @@ use vars qw (
 );
 
 use Cwd                   qw(abs_path);
-use File::Basename        qw(dirname);
 use File::Path            qw(rmtree);
 use File::Spec::Functions qw(canonpath catdir catfile curdir devnull rootdir
                              tmpdir updir);
@@ -115,7 +113,7 @@ use constant HAS_EDIFF    => eval { require String::Ed
 
 BEGIN
 {
-  $VERSION = '3.0.6';
+  $VERSION = '3.1';
 
   $HTML_DOCTYPE =
     '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ' .
@@ -204,23 +202,9 @@ sub checkout_to_temp($$$);
 # (think mod_perl)...
 delete(@ENV{qw(PATH IFS CDPATH ENV BASH_ENV)});
 
-my ($mydir) = (dirname($0) =~ /(.*)/);    # untaint
+# Location of the configuration file inside the web server chroot:
+$config = '/conf/cvsweb/cvsweb.conf';
 
-##### Start of Configuration Area ########
-
-# == EDIT this ==
-# Locations to search for user configuration, in order:
-for (catfile($mydir, 'cvsweb.conf'), '/usr/local/etc/cvsweb/cvsweb.conf') {
-  if (-r $_) {
-    $config = $_;
-    last;
-  }
-}
-
-##### End of Configuration Area   ########
-
-undef $mydir;
-
 ######## Configuration parameters #########
 
 @CVSrepositories = @CVSROOT = %CVSROOT = %MIRRORS = %DEFAULTVALUE = %ICONS =
@@ -374,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
     $p =~ y/+/ /;
     my ($key, $val) = split(/=/, $p, 2);
     next unless defined($key);
-    $val = 1 unless defined($val);
-    ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
-    ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+    $key = uri_unescape($key);
+    $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+      'Invalid character "%s" in query parameter "%s"', $1, $key);
+    if (defined $val) {
+      $val = uri_unescape($val);
+      $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+        'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+        $1, $value, $key);
+    } else {
+      $val = 1;
+    }
     $query{$key} = $val;
   }
 }
@@ -773,6 +765,7 @@ if ($input{tarball}) {
   }
 
   # Clean up.
+  chdir("..");
   rmtree($tmpexportdir);
 
   &fatal(@fatal) if @fatal;
@@ -1556,7 +1549,7 @@ sub htmlify($;$)
          }{
             my($text, $name, $section) = ($1, $2, defined($3) ? $3 : $4);
             ($name =~ /[A-Za-z]/ && $name !~ /\.(:|$)/)
-             ? &link($text, sprintf($mancgi, $section, uri_escape($name)))
+             ? &link($text, sprintf($mancgi, uri_escape($name), $section))
               : $text;
          }egx;
       } $_;
@@ -2934,7 +2927,7 @@ sub printLog($$$;$$)
   print "<br />\n";
 
   print '<i>';
-  if (defined @mytz) {
+  if (@mytz) {
     my ($est) = $mytz[(localtime($date{$_}))[8]];
     print scalar localtime($date{$_}), " $est</i> (";
   } else {
@@ -4210,6 +4203,7 @@ sub htmlquote($)
   # Special Characters; RFC 1866
   s/&/&amp;/g;
   s/\"/&quot;/g;
+  s/%22/&quot;/g;
   s/</&lt;/g;
   s/>/&gt;/g;
   return $_;
@@ -4249,6 +4243,8 @@ sub http_header(;$$)
   push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
     if $moddate;
   push(@headers, 'Content-Type: ' . $content_type);
+  push(@headers, "Content-Security-Policy: default-src 'none'; " .
+    "img-src 'self'; style-src 'unsafe-inline'");
 
   if ($allow_compress && $maycompress) {
     if (HAS_ZLIB
@@ -4441,7 +4437,7 @@ sub TIEHANDLE
               crc    => 0,
               len    => 0,
             };
-  my ($header) = pack("c10",
+  my ($header) = pack("C10",
                       MAGIC1, MAGIC2, Compress::Zlib::Z_DEFLATED(),
                       0, 0, 0, 0, 0, 0, OSCODE);
   print {$o->{handle}} $header;