X-Git-Url: http://www.privoxy.org/gitweb/show-status?a=blobdiff_plain;f=cgisimple.c;h=2b6cfbddd45d6d7c71670f7be52167d19eb8cc2b;hb=1545d9ac84338ec63463d418d9498ddfb08d01a2;hp=11781bd88b96427c0c0e6e5edf2c8991991ad9c2;hpb=2e94c2f701ea14e80599be74a68394e2a4b2c5c0;p=privoxy.git

diff --git a/cgisimple.c b/cgisimple.c
index 11781bd8..2b6cfbdd 100644
--- a/cgisimple.c
+++ b/cgisimple.c
@@ -1,4 +1,4 @@
-const char cgisimple_rcs[] = "$Id: cgisimple.c,v 1.97 2010/03/07 12:07:51 fabiankeil Exp $";
+const char cgisimple_rcs[] = "$Id: cgisimple.c,v 1.101 2011/02/14 16:04:55 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/cgisimple.c,v $
@@ -704,17 +704,24 @@ jb_err cgi_send_user_manual(struct client_state *csp,
    }
 
    get_string_param(parameters, "file", &filename);
-   /* Check paramter for hack attempts */
-   if (filename && strchr(filename, '/'))
+   if (filename == NULL)
    {
-      return JB_ERR_CGI_PARAMS;
+      /* It's '/' so serve the index.html if there is one.  */
+      filename = "index.html";
    }
-   if (filename && strstr(filename, ".."))
+   else if (NULL != strchr(filename, '/') || NULL != strstr(filename, ".."))
    {
+      /*
+       * We currently only support a flat file
+       * hierachy for the documentation.
+       */
+      log_error(LOG_LEVEL_ERROR,
+         "Rejecting the request to serve '%s' as it contains '/' or '..'",
+         filename);
       return JB_ERR_CGI_PARAMS;
    }
 
-   full_path = make_path(csp->config->usermanual, filename ? filename : "index.html");
+   full_path = make_path(csp->config->usermanual, filename);
    if (full_path == NULL)
    {
       return JB_ERR_MEMORY;
@@ -1105,8 +1112,9 @@ jb_err cgi_show_url_info(struct client_state *csp,
          url_param[0] = '\0';
       }
    }
-   else if ((NULL == strstr(url_param, "://")
-         || (strstr(url_param, "://") > strstr(url_param, "/"))))
+   else if ((url_param[0] != '\0')
+      && ((NULL == strstr(url_param, "://")
+            || (strstr(url_param, "://") > strstr(url_param, "/")))))
    {
       /*
        * No prefix or at least no prefix before
@@ -1860,6 +1868,7 @@ static jb_err load_file(const char *filename, char **buffer, size_t *length)
    fp = fopen(filename, "rb");
    if (NULL == fp)
    {
+      log_error(LOG_LEVEL_ERROR, "Failed to open %s: %E", filename);
       return JB_ERR_FILE;
    }