===================================================================
RCS file: /cvs/cvsweb/cvsweb.cgi,v
retrieving revision 4.7
retrieving revision 4.14
diff -u -p -r4.7 -r4.14
--- cvsweb/cvsweb.cgi	2019/11/09 09:32:22	4.7
+++ cvsweb/cvsweb.cgi	2019/11/11 12:46:23	4.14
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $Id: cvsweb.cgi,v 4.7 2019/11/09 09:32:22 schwarze Exp $
+# $Id: cvsweb.cgi,v 4.14 2019/11/11 12:46:23 schwarze Exp $
 # $knu: cvsweb.cgi,v 1.299 2010/11/13 16:37:18 simon
 #
 # cvsweb - a CGI interface to CVS trees.
@@ -86,6 +86,7 @@ use vars qw (
   $allow_enscript @enscript_options %enscript_types
 );
 
+require Compress::Zlib;
 use Cwd                   qw(abs_path);
 use File::Path            qw(rmtree);
 use File::Spec::Functions qw(canonpath catdir catfile curdir devnull rootdir
@@ -102,7 +103,6 @@ use constant CVSWEBMARKUP => qr{^text/(x-cvsweb|vnd\.v
 use constant LOG_FILESEPR => qr/^={77}$/o;
 use constant LOG_REVSEPR  => qr/^-{28}$/o;
 
-use constant HAS_ZLIB     => eval { require Compress::Zlib; };
 use constant HAS_EDIFF    => eval { require String::Ediff;  };
 
 # -----------------------------------------------------------------------------
@@ -113,7 +113,7 @@ use constant HAS_EDIFF    => eval { require String::Ed
 
 BEGIN
 {
-  $VERSION = '3.0.6';
+  $VERSION = '3.1';
 
   $HTML_DOCTYPE =
     '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ' .
@@ -317,7 +317,7 @@ $maycompress = (
     && $ENV{HTTP_ACCEPT_ENCODING} =~ /gzip/)
    || $is_mozilla3)
   && !$is_msie
-  && !(defined($ENV{MOD_PERL}) && !HAS_ZLIB)
+  && !(defined($ENV{MOD_PERL}))
 );
 
 # Parameters that will be sticky in all constructed links/query strings.
@@ -358,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
     $p =~ y/+/ /;
     my ($key, $val) = split(/=/, $p, 2);
     next unless defined($key);
-    $val = 1 unless defined($val);
-    ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
-    ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+    $key = uri_unescape($key);
+    $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+      'Invalid character "%s" in query parameter "%s"', $1, $key);
+    if (defined $val) {
+      $val = uri_unescape($val);
+      $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+        'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+        $1, $val, $key);
+    } else {
+      $val = 1;
+    }
     $query{$key} = $val;
   }
 }
@@ -757,6 +765,7 @@ if ($input{tarball}) {
   }
 
   # Clean up.
+  chdir("..");
   rmtree($tmpexportdir);
 
   &fatal(@fatal) if @fatal;
@@ -1170,7 +1179,7 @@ EOF
 <legend>General options</legend>
 <input type="hidden" name="copt" value="1" />
 EOF
-    for my $v qw(hidecvsroot hidenonreadable) {
+    for my $v (qw(hidecvsroot hidenonreadable)) {
       printf(qq{<input type="hidden" name="%s" value="%s" />\n},
              $v, $input{$v} || 0);
     }
@@ -4234,12 +4243,10 @@ sub http_header(;$$)
   push(@headers, 'Last-Modified: ' . scalar gmtime($moddate) . ' GMT')
     if $moddate;
   push(@headers, 'Content-Type: ' . $content_type);
+  push(@headers, "Content-Security-Policy: default-src 'none'; " .
+    "img-src 'self'; style-src 'unsafe-inline'");
 
   if ($allow_compress && $maycompress) {
-    if (HAS_ZLIB
-        || (defined($CMD{gzip}) && open(GZIP, "| $CMD{gzip} -1 -c")))
-    {
-
       push(@headers, 'Content-Encoding: gzip');
       push(@headers, 'Vary: Accept-Encoding');     # RFC 2616, 14.44
       print join("\r\n", @headers) . "\r\n\r\n";
@@ -4247,18 +4254,9 @@ sub http_header(;$$)
       $| = 1;
       $| = 0;                                      # Flush header output.
 
-      tie(*GZIP, __PACKAGE__, \*STDOUT) if HAS_ZLIB;
+      tie(*GZIP, __PACKAGE__, \*STDOUT);
       select(GZIP);
       $gzip_open = 1;
-
-    } else {
-
-      print join("\r\n", @headers) . "\r\n\r\n";
-      printf
-        '<span style="font-size: smaller">Unable to find gzip binary in the <b>$command_path</b> (<code>%s</code>) to compress output</span><br />',
-          htmlquote(join(':', @command_path));
-    }
-
   } else {
     print join("\r\n", @headers) . "\r\n\r\n";
   }
@@ -4426,7 +4424,7 @@ sub TIEHANDLE
               crc    => 0,
               len    => 0,
             };
-  my ($header) = pack("c10",
+  my ($header) = pack("C10",
                       MAGIC1, MAGIC2, Compress::Zlib::Z_DEFLATED(),
                       0, 0, 0, 0, 0, 0, OSCODE);
   print {$o->{handle}} $header;