===================================================================
RCS file: /cvs/mandoc/cgi.c,v
retrieving revision 1.77
retrieving revision 1.85
diff -u -p -r1.77 -r1.85
--- mandoc/cgi.c	2014/07/19 13:15:11	1.77
+++ mandoc/cgi.c	2014/07/25 16:56:06	1.85
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.77 2014/07/19 13:15:11 schwarze Exp $ */
+/*	$Id: cgi.c,v 1.85 2014/07/25 16:56:06 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -39,10 +39,10 @@
  * A query as passed to the search function.
  */
 struct	query {
-	const char	*manpath; /* desired manual directory */
-	const char	*arch; /* architecture */
-	const char	*sec; /* manual section */
-	const char	*expr; /* unparsed expression string */
+	char		*manpath; /* desired manual directory */
+	char		*arch; /* architecture */
+	char		*sec; /* manual section */
+	char		*query; /* unparsed query expression */
 	int		 equal; /* match whole names, not substrings */
 };
 
@@ -53,13 +53,12 @@ struct	req {
 };
 
 static	void		 catman(const struct req *, const char *);
-static	int	 	 cmp(const void *, const void *);
 static	void		 format(const struct req *, const char *);
 static	void		 html_print(const char *);
 static	void		 html_printquery(const struct req *);
 static	void		 html_putchar(char);
 static	int 		 http_decode(char *);
-static	void		 http_parse(struct req *, char *);
+static	void		 http_parse(struct req *, const char *);
 static	void		 http_print(const char *);
 static	void 		 http_putchar(char);
 static	void		 http_printquery(const struct req *);
@@ -71,12 +70,16 @@ static	void		 pg_noresult(const struct req *, const ch
 static	void		 pg_search(const struct req *);
 static	void		 pg_searchres(const struct req *,
 				struct manpage *, size_t);
-static	void		 pg_show(const struct req *, const char *);
+static	void		 pg_show(struct req *, const char *);
 static	void		 resp_begin_html(int, const char *);
 static	void		 resp_begin_http(int, const char *);
 static	void		 resp_end_html(void);
 static	void		 resp_searchform(const struct req *);
 static	void		 resp_show(const struct req *, const char *);
+static	void		 set_query_attr(char **, char **);
+static	int		 validate_filename(const char *);
+static	int		 validate_manpath(const struct req *, const char *);
+static	int		 validate_urifrag(const char *);
 
 static	const char	 *scriptname; /* CGI script name */
 
@@ -157,9 +160,9 @@ http_printquery(const struct req *req)
 		printf("&arch=");
 		http_print(req->q.arch);
 	}
-	if (NULL != req->q.expr) {
+	if (NULL != req->q.query) {
 		printf("&query=");
-		http_print(req->q.expr);
+		http_print(req->q.query);
 	}
 	if (0 == req->q.equal)
 		printf("&apropos=1");
@@ -181,9 +184,9 @@ html_printquery(const struct req *req)
 		printf("&amp;arch=");
 		html_print(req->q.arch);
 	}
-	if (NULL != req->q.expr) {
+	if (NULL != req->q.query) {
 		printf("&amp;query=");
-		html_print(req->q.expr);
+		html_print(req->q.query);
 	}
 	if (0 == req->q.equal)
 		printf("&amp;apropos=1");
@@ -214,65 +217,114 @@ html_print(const char *p)
 }
 
 /*
- * Parse out key-value pairs from an HTTP request variable.
- * This can be either a cookie or a POST/GET string, although man.cgi
- * uses only GET for simplicity.
+ * Transfer the responsibility for the allocated string *val
+ * to the query structure.
  */
 static void
-http_parse(struct req *req, char *p)
+set_query_attr(char **attr, char **val)
 {
-	char            *key, *val;
 
-	memset(&req->q, 0, sizeof(struct query));
-	req->q.manpath = req->p[0];
-	req->q.equal = 1;
+	free(*attr);
+	if (**val == '\0') {
+		*attr = NULL;
+		free(*val);
+	} else
+		*attr = *val;
+	*val = NULL;
+}
 
-	while ('\0' != *p) {
-		key = p;
-		val = NULL;
+/*
+ * Parse the QUERY_STRING for key-value pairs
+ * and store the values into the query structure.
+ */
+static void
+http_parse(struct req *req, const char *qs)
+{
+	char		*key, *val;
+	size_t		 keysz, valsz;
 
-		p += (int)strcspn(p, ";&");
-		if ('\0' != *p)
-			*p++ = '\0';
-		if (NULL != (val = strchr(key, '=')))
-			*val++ = '\0';
+	req->q.manpath	= NULL;
+	req->q.arch	= NULL;
+	req->q.sec	= NULL;
+	req->q.query	= NULL;
+	req->q.equal	= 1;
 
-		if ('\0' == *key || NULL == val || '\0' == *val)
-			continue;
+	key = val = NULL;
+	while (*qs != '\0') {
 
-		/* Just abort handling. */
+		/* Parse one key. */
 
-		if ( ! http_decode(key))
-			break;
-		if (NULL != val && ! http_decode(val))
-			break;
+		keysz = strcspn(qs, "=;&");
+		key = mandoc_strndup(qs, keysz);
+		qs += keysz;
+		if (*qs != '=')
+			goto next;
 
-		if (0 == strcmp(key, "query"))
-			req->q.expr = val;
-		else if (0 == strcmp(key, "manpath")) {
+		/* Parse one value. */
+
+		valsz = strcspn(++qs, ";&");
+		val = mandoc_strndup(qs, valsz);
+		qs += valsz;
+
+		/* Decode and catch encoding errors. */
+
+		if ( ! (http_decode(key) && http_decode(val)))
+			goto next;
+
+		/* Handle key-value pairs. */
+
+		if ( ! strcmp(key, "query"))
+			set_query_attr(&req->q.query, &val);
+
+		else if ( ! strcmp(key, "apropos"))
+			req->q.equal = !strcmp(val, "0");
+
+		else if ( ! strcmp(key, "manpath")) {
 #ifdef COMPAT_OLDURI
-			if (0 == strncmp(val, "OpenBSD ", 8)) {
+			if ( ! strncmp(val, "OpenBSD ", 8)) {
 				val[7] = '-';
 				if ('C' == val[8])
 					val[8] = 'c';
 			}
 #endif
-			req->q.manpath = val;
-		} else if (0 == strcmp(key, "apropos"))
-			req->q.equal = !strcmp(val, "0");
-		else if (0 == strcmp(key, "sec")) {
-			if (strcmp(val, "0"))
-				req->q.sec = val;
+			set_query_attr(&req->q.manpath, &val);
+		}
+
+		else if ( ! (strcmp(key, "sec")
 #ifdef COMPAT_OLDURI
-		} else if (0 == strcmp(key, "sektion")) {
-			if (strcmp(val, "0"))
-				req->q.sec = val;
+		    && strcmp(key, "sektion")
 #endif
-		} else if (0 == strcmp(key, "arch")) {
-			if (strcmp(val, "default"))
-				req->q.arch = val;
+		    )) {
+			if ( ! strcmp(val, "0"))
+				*val = '\0';
+			set_query_attr(&req->q.sec, &val);
 		}
+
+		else if ( ! strcmp(key, "arch")) {
+			if ( ! strcmp(val, "default"))
+				*val = '\0';
+			set_query_attr(&req->q.arch, &val);
+		}
+
+		/*
+		 * The key must be freed in any case.
+		 * The val may have been handed over to the query
+		 * structure, in which case it is now NULL.
+		 */
+next:
+		free(key);
+		key = NULL;
+		free(val);
+		val = NULL;
+
+		if (*qs != '\0')
+			qs++;
 	}
+
+	/* Fall back to the default manpath. */
+
+	if (req->q.manpath == NULL)
+		req->q.manpath = mandoc_strdup(req->p[0]);
 }
 
 static void
@@ -389,8 +441,8 @@ resp_searchform(const struct req *req)
 
 	printf(	"<TABLE><TR><TD>\n"
 		"<INPUT TYPE=\"text\" NAME=\"query\" VALUE=\"");
-	if (NULL != req->q.expr)
-		html_print(req->q.expr);
+	if (NULL != req->q.query)
+		html_print(req->q.query);
 	puts("\" SIZE=\"40\">");
 
 	/* Write submission and reset buttons. */
@@ -422,7 +474,11 @@ resp_searchform(const struct req *req)
 
 	/* Write architecture selector. */
 
-	puts("<SELECT NAME=\"arch\">");
+	printf(	"<SELECT NAME=\"arch\">\n"
+		"<OPTION VALUE=\"default\"");
+	if (NULL == req->q.arch)
+		printf(" SELECTED");
+	puts(">All Architectures</OPTION>");
 	for (i = 0; i < arch_MAX; i++) {
 		printf("<OPTION VALUE=\"%s\"", arch_names[i]);
 		if (NULL != req->q.arch &&
@@ -467,6 +523,20 @@ resp_searchform(const struct req *req)
 }
 
 static int
+validate_urifrag(const char *frag)
+{
+
+	while ('\0' != *frag) {
+		if ( ! (isalnum((unsigned char)*frag) ||
+		    '-' == *frag || '.' == *frag ||
+		    '/' == *frag || '_' == *frag))
+			return(0);
+		frag++;
+	}
+	return(1);
+}
+
+static int
 validate_manpath(const struct req *req, const char* manpath)
 {
 	size_t	 i;
@@ -545,7 +615,9 @@ pg_error_internal(void)
 static void
 pg_searchres(const struct req *req, struct manpage *r, size_t sz)
 {
+	char		*arch, *archend;
 	size_t		 i, iuse, isec;
+	int		 archprio, archpriouse;
 	int		 prio, priouse;
 	char		 sec;
 
@@ -564,8 +636,8 @@ pg_searchres(const struct req *req, struct manpage *r,
 		 * without any delay.
 		 */
 		printf("Status: 303 See Other\r\n");
-		printf("Location: %s/%s/%s?",
-		    scriptname, req->q.manpath, r[0].file);
+		printf("Location: http://%s%s/%s/%s?",
+		    HTTP_HOST, scriptname, req->q.manpath, r[0].file);
 		http_printquery(req);
 		printf("\r\n"
 		     "Content-Type: text/html; charset=utf-8\r\n"
@@ -573,8 +645,6 @@ pg_searchres(const struct req *req, struct manpage *r,
 		return;
 	}
 
-	qsort(r, sz, sizeof(struct manpage), cmp);
-
 	resp_begin_html(200, NULL);
 	resp_searchform(req);
 	puts("<DIV CLASS=\"results\">");
@@ -608,12 +678,30 @@ pg_searchres(const struct req *req, struct manpage *r,
 		puts("<HR>");
 		iuse = 0;
 		priouse = 10;
+		archpriouse = 3;
 		for (i = 0; i < sz; i++) {
 			isec = strcspn(r[i].file, "123456789");
 			sec = r[i].file[isec];
 			if ('\0' == sec)
 				continue;
 			prio = sec_prios[sec - '1'];
+			if (NULL == req->q.arch) {
+				archprio =
+				    (NULL == (arch = strchr(
+					r[i].file + isec, '/'))) ? 3 :
+				    (NULL == (archend = strchr(
+					arch + 1, '/'))) ? 0 :
+				    strncmp(arch, "amd64/",
+					archend - arch) ? 2 : 1;
+				if (archprio < archpriouse) {
+					archpriouse = archprio;
+					priouse = prio;
+					iuse = i;
+					continue;
+				}
+				if (archprio > archpriouse)
+					continue;
+			}
 			if (prio >= priouse)
 				continue;
 			priouse = prio;
@@ -785,9 +873,10 @@ format(const struct req *req, const char *file)
 		return;
 	}
 
-	snprintf(opts, sizeof(opts),
-	    "fragment,man=%s?query=%%N&amp;sec=%%S",
-	    scriptname);
+	snprintf(opts, sizeof(opts), "fragment,man=%s?"
+	    "manpath=%s&amp;query=%%N&amp;sec=%%S&amp;arch=%s",
+	    scriptname, req->q.manpath,
+	    req->q.arch ? req->q.arch : "");
 
 	mparse_result(mp, &mdoc, &man, NULL);
 	if (NULL == man && NULL == mdoc) {
@@ -823,20 +912,23 @@ resp_show(const struct req *req, const char *file)
 }
 
 static void
-pg_show(const struct req *req, const char *path)
+pg_show(struct req *req, const char *fullpath)
 {
-	char		*sub;
+	char		*manpath;
+	const char	*file;
 
-	if (NULL == path || NULL == (sub = strchr(path, '/'))) {
+	if ((file = strchr(fullpath, '/')) == NULL) {
 		pg_error_badrequest(
 		    "You did not specify a page to show.");
 		return;
 	} 
-	*sub++ = '\0';
+	manpath = mandoc_strndup(fullpath, file - fullpath);
+	file++;
 
-	if ( ! validate_manpath(req, path)) {
+	if ( ! validate_manpath(req, manpath)) {
 		pg_error_badrequest(
 		    "You specified an invalid manpath.");
+		free(manpath);
 		return;
 	}
 
@@ -846,14 +938,21 @@ pg_show(const struct req *req, const char *path)
 	 * relative to the manpath root.
 	 */
 
-	if (-1 == chdir(path)) {
+	if (chdir(manpath) == -1) {
 		fprintf(stderr, "chdir %s: %s\n",
-		    path, strerror(errno));
+		    manpath, strerror(errno));
 		pg_error_internal();
+		free(manpath);
 		return;
 	}
 
-	if ( ! validate_filename(sub)) {
+	if (strcmp(manpath, "mandoc")) {
+		free(req->q.manpath);
+		req->q.manpath = manpath;
+	} else
+		free(manpath);
+
+	if ( ! validate_filename(file)) {
 		pg_error_badrequest(
 		    "You specified an invalid manual file.");
 		return;
@@ -861,7 +960,7 @@ pg_show(const struct req *req, const char *path)
 
 	resp_begin_html(200, NULL);
 	resp_searchform(req);
-	resp_show(req, sub);
+	resp_show(req, file);
 	resp_end_html();
 }
 
@@ -903,7 +1002,7 @@ pg_search(const struct req *req)
 	 * Yes, this is half-ass.  But it works for now.
 	 */
 
-	ep = req->q.expr;
+	ep = req->q.query;
 	while (ep && isspace((unsigned char)*ep))
 		ep++;
 
@@ -948,7 +1047,7 @@ main(void)
 {
 	struct req	 req;
 	const char	*path;
-	char		*querystring;
+	const char	*querystring;
 	int		 i;
 
 	/* Scan our run-time environment. */
@@ -956,6 +1055,13 @@ main(void)
 	if (NULL == (scriptname = getenv("SCRIPT_NAME")))
 		scriptname = "";
 
+	if ( ! validate_urifrag(scriptname)) {
+		fprintf(stderr, "unsafe SCRIPT_NAME \"%s\"\n",
+		    scriptname);
+		pg_error_internal();
+		return(EXIT_FAILURE);
+	}
+
 	/*
 	 * First we change directory into the MAN_DIR so that
 	 * subsequent scanning for manpath directories is rooted
@@ -983,6 +1089,12 @@ main(void)
 		return(EXIT_FAILURE);
 	}
 
+	if ( ! (NULL == req.q.arch || validate_urifrag(req.q.arch))) {
+		pg_error_badrequest(
+		    "You specified an invalid architecture.");
+		return(EXIT_FAILURE);
+	}
+
 	/* Dispatch to the three different pages. */
 
 	path = getenv("PATH_INFO");
@@ -993,25 +1105,21 @@ main(void)
 
 	if ('\0' != *path)
 		pg_show(&req, path);
-	else if (NULL != req.q.expr)
+	else if (NULL != req.q.query)
 		pg_search(&req);
 	else
 		pg_index(&req);
 
+	free(req.q.manpath);
+	free(req.q.arch);
+	free(req.q.sec);
+	free(req.q.query);
 	for (i = 0; i < (int)req.psz; i++)
 		free(req.p[i]);
 	free(req.p);
 	return(EXIT_SUCCESS);
 }
 
-static int
-cmp(const void *p1, const void *p2)
-{
-
-	return(strcasecmp(((const struct manpage *)p1)->names,
-	    ((const struct manpage *)p2)->names));
-}
-
 /*
  * Scan for indexable paths.
  */
@@ -1034,7 +1142,20 @@ pathgen(struct req *req)
 			dpsz--;
 		req->p = mandoc_realloc(req->p,
 		    (req->psz + 1) * sizeof(char *));
-		req->p[req->psz++] = mandoc_strndup(dp, dpsz);
+		dp = mandoc_strndup(dp, dpsz);
+		if ( ! validate_urifrag(dp)) {
+			fprintf(stderr, "%s/manpath.conf contains "
+			    "unsafe path \"%s\"\n", MAN_DIR, dp);
+			pg_error_internal();
+			exit(EXIT_FAILURE);
+		}
+		if (NULL != strchr(dp, '/')) {
+			fprintf(stderr, "%s/manpath.conf contains "
+			    "path with slash \"%s\"\n", MAN_DIR, dp);
+			pg_error_internal();
+			exit(EXIT_FAILURE);
+		}
+		req->p[req->psz++] = dp;
 	}
 
 	if ( req->p == NULL ) {