From 42b7df08741512528b27e289675de8247697eda9 Mon Sep 17 00:00:00 2001 From: schwarze Date: Fri, 18 Jul 2014 19:02:07 +0000 Subject: [PATCH] Do not use the HTTP_HOST CGI variable, just make the HTTP redirect Location: relative. Less user input is good, it reduces the attack surface. Besides, this removes one global variable and 4 lines of code. Patch from Sebastien Marie . --- usr.bin/mandoc/cgi.c | 10 +++------- usr.bin/mandoc/man.cgi.8 | 9 ++------- 2 files changed, 5 insertions(+), 14 deletions(-) diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c index 0ddc41c6d48..bfe8b605c0a 100644 --- a/usr.bin/mandoc/cgi.c +++ b/usr.bin/mandoc/cgi.c @@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.14 2014/07/18 14:46:20 schwarze Exp $ */ +/* $Id: cgi.c,v 1.15 2014/07/18 19:02:07 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons * Copyright (c) 2014 Ingo Schwarze @@ -75,7 +75,6 @@ static void resp_searchform(const struct req *); static void resp_show(const struct req *, const char *); static const char *scriptname; /* CGI script name */ -static const char *httphost; /* hostname used in the URIs */ static const int sec_prios[] = {1, 4, 5, 8, 6, 3, 7, 2, 9}; static const char *const sec_numbers[] = { @@ -526,8 +525,8 @@ pg_searchres(const struct req *req, struct manpage *r, size_t sz) * without any delay. */ printf("Status: 303 See Other\r\n"); - printf("Location: http://%s%s/%s/%s?", - httphost, scriptname, req->q.manpath, r[0].file); + printf("Location: %s/%s/%s?", + scriptname, req->q.manpath, r[0].file); http_printquery(req); printf("\r\n" "Content-Type: text/html; charset=utf-8\r\n" @@ -903,9 +902,6 @@ main(void) if (NULL == (scriptname = getenv("SCRIPT_NAME"))) scriptname = ""; - if (NULL == (httphost = getenv("HTTP_HOST"))) - httphost = "localhost"; - /* * First we change directory into the MAN_DIR so that * subsequent scanning for manpath directories is rooted diff --git a/usr.bin/mandoc/man.cgi.8 b/usr.bin/mandoc/man.cgi.8 index 44ed2ffa9a6..3acb52cfb04 100644 --- a/usr.bin/mandoc/man.cgi.8 +++ b/usr.bin/mandoc/man.cgi.8 @@ -1,4 +1,4 @@ -.\" $Id: man.cgi.8,v 1.4 2014/07/13 15:38:06 schwarze Exp $ +.\" $Id: man.cgi.8,v 1.5 2014/07/18 19:02:07 schwarze Exp $ .\" .\" Copyright (c) 2014 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 13 2014 $ +.Dd $Mdocdate: July 18 2014 $ .Dt MAN.CGI 8 .Os .Sh NAME @@ -266,11 +266,6 @@ is supported as an alias for The web server may pass the following CGI variables to .Nm : .Bl -tag -width Ds -.It Ev HTTP_HOST -The FQDN of the (possibly virtual) host the HTTP server is running on. -This is used for -.Ic Location: -headers in HTTP 303 responses. .It Ev PATH_INFO The final part of the URI path passed from the client to the server, starting after the -- 2.20.1