Security fix:

Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".

While here, correct the condition discarding an initial "./".

Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.

diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c
index bfe8b60..bf175c8 100644 (file)
--- a/usr.bin/mandoc/cgi.c
+++ b/usr.bin/mandoc/cgi.c
@@ -1,4 +1,4 @@
-/*     $Id: cgi.c,v 1.15 2014/07/18 19:02:07 schwarze Exp $ */
+/*     $Id: cgi.c,v 1.16 2014/07/19 11:35:09 schwarze Exp $ */
 /*
  * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de>
@@ -462,6 +462,17 @@ resp_searchform(const struct req *req)
        puts("<!-- End search form. //-->");
 }
 
+static int
+validate_filename(const char *file)
+{
+
+       if ('.' == file[0] && '/' == file[1])
+               file += 2;
+
+       return ( ! (strstr(file, "../") || strstr(file, "/..") ||
+           (strncmp(file, "man", 3) && strncmp(file, "cat", 3))));
+}
+
 static void
 pg_index(const struct req *req)
 {
@@ -519,6 +530,15 @@ pg_searchres(const struct req *req, struct manpage *r, size_t sz)
        int              prio, priouse;
        char             sec;
 
+       for (i = 0; i < sz; i++) {
+               if (validate_filename(r[i].file))
+                       continue;
+               fprintf(stderr, "invalid filename %s in %s database\n",
+                   r[i].file, req->q.manpath);
+               pg_error_internal();
+               return;
+       }
+
        if (1 == sz) {
                /*
                 * If we have just one result, then jump there now
@@ -773,7 +793,8 @@ format(const struct req *req, const char *file)
 static void
 resp_show(const struct req *req, const char *file)
 {
-       if ('.' == file[0] || '/' == file[1])
+
+       if ('.' == file[0] && '/' == file[1])
                file += 2;
 
        if ('c' == *file)
@@ -806,6 +827,12 @@ pg_show(const struct req *req, const char *path)
                return;
        }
 
+       if ( ! validate_filename(sub)) {
+               pg_error_badrequest(
+                   "You specified an invalid manual file.");
+               return;
+       }
+
        resp_begin_html(200, NULL);
        resp_searchform(req);
        resp_show(req, sub);