===================================================================
RCS file: /cvs/mandoc/roff.c,v
retrieving revision 1.103
retrieving revision 1.105
diff -u -p -r1.103 -r1.105
--- mandoc/roff.c	2010/12/01 10:21:25	1.103
+++ mandoc/roff.c	2010/12/01 16:54:25	1.105
@@ -1,4 +1,4 @@
-/*	$Id: roff.c,v 1.103 2010/12/01 10:21:25 kristaps Exp $ */
+/*	$Id: roff.c,v 1.105 2010/12/01 16:54:25 kristaps Exp $ */
 /*
  * Copyright (c) 2010 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2010 Ingo Schwarze <schwarze@openbsd.org>
@@ -60,11 +60,12 @@ enum	rofft {
 	ROFF_ig,
 	ROFF_ne,
 	ROFF_nh,
+	ROFF_nr,
 	ROFF_rm,
+	ROFF_so,
 	ROFF_tr,
 	ROFF_cblock,
 	ROFF_ccond, /* FIXME: remove this. */
-	ROFF_nr,
 	ROFF_MAX
 };
 
@@ -135,11 +136,13 @@ static	void		 roff_freestr(struct roff *);
 static	const char	*roff_getstrn(const struct roff *, 
 				const char *, size_t);
 static	enum rofferr	 roff_line_ignore(ROFF_ARGS);
+static	enum rofferr	 roff_line_error(ROFF_ARGS);
 static	enum rofferr	 roff_nr(ROFF_ARGS);
 static	int		 roff_res(struct roff *, 
 				char **, size_t *, int);
 static	void		 roff_setstr(struct roff *,
 				const char *, const char *);
+static	enum rofferr	 roff_so(ROFF_ARGS);
 static	char		*roff_strdup(const char *);
 
 /* See roff_hash_find() */
@@ -166,11 +169,12 @@ static	struct roffmac	 roffs[ROFF_MAX] = {
 	{ "ig", roff_block, roff_block_text, roff_block_sub, 0, NULL },
 	{ "ne", roff_line_ignore, NULL, NULL, 0, NULL },
 	{ "nh", roff_line_ignore, NULL, NULL, 0, NULL },
-	{ "rm", roff_line_ignore, NULL, NULL, 0, NULL },
+	{ "nr", roff_nr, NULL, NULL, 0, NULL },
+	{ "rm", roff_line_error, NULL, NULL, 0, NULL },
+	{ "so", roff_so, NULL, NULL, 0, NULL },
 	{ "tr", roff_line_ignore, NULL, NULL, 0, NULL },
 	{ ".", roff_cblock, NULL, NULL, 0, NULL },
 	{ "\\}", roff_ccond, NULL, NULL, 0, NULL },
-	{ "nr", roff_nr, NULL, NULL, 0, NULL },
 };
 
 static	void		 roff_free1(struct roff *);
@@ -846,7 +850,6 @@ roff_evalcond(const char *v, int *pos)
 	return(ROFFRULE_DENY);
 }
 
-
 /* ARGSUSED */
 static enum rofferr
 roff_line_ignore(ROFF_ARGS)
@@ -855,7 +858,15 @@ roff_line_ignore(ROFF_ARGS)
 	return(ROFF_IGN);
 }
 
+/* ARGSUSED */
+static enum rofferr
+roff_line_error(ROFF_ARGS)
+{
 
+	(*r->msg)(MANDOCERR_REQUEST, r->data, ln, ppos, roffs[tok].name);
+	return(ROFF_IGN);
+}
+
 /* ARGSUSED */
 static enum rofferr
 roff_cond(ROFF_ARGS)
@@ -1046,6 +1057,30 @@ roff_nr(ROFF_ARGS)
 	return(ROFF_IGN);
 }
 
+/* ARGSUSED */
+static enum rofferr
+roff_so(ROFF_ARGS)
+{
+	char *name;
+
+	(*r->msg)(MANDOCERR_SO, r->data, ln, ppos, NULL);
+
+	/*
+	 * Handle `so'.  Be EXTREMELY careful, as we shouldn't be
+	 * opening anything that's not in our cwd or anything beneath
+	 * it.  Thus, explicitly disallow traversing up the file-system
+	 * or using absolute paths.
+	 */
+
+	name = *bufp + pos;
+	if ('/' == *name || strstr(name, "../") || strstr(name, "/..")) {
+		(*r->msg)(MANDOCERR_SOPATH, r->data, ln, pos, NULL);
+		return(ROFF_ERR);
+	}
+
+	*offs = pos;
+	return(ROFF_SO);
+}
 
 static char *
 roff_strdup(const char *name)