On-Line Manual Pages & Handbook

YONETANI Tomokazu qhwt+dfly at les.ath.cx
Wed Mar 16 10:09:54 PST 2005


On Wed, Mar 16, 2005 at 12:02:22AM -0500, justin at xxxxxxxxxxxxxxxxxx wrote:
> I noticed while doing this that links to the rc.conf(5) web-man page don't
> work...  Not sure why, since I haven't dug farther.

Because the "Security filter" strips off the dot and the rest of characters
in the $COMMAND.
Patch against web-man attached, which does:
- parse $QUERY_STRING a bit more carefully.
- ignore shorter form(/web-man?ntpd+8); it didn't work manpages
  for e.g. g++(1) anyway.
- don't display builtin(1) when section wasn't specified.
--- web-man.orig	2005-03-16 14:09:58.000000000 +0900
+++ web-man	2005-03-16 16:26:33.000000000 +0900
@@ -14,25 +14,24 @@
 # The full URL of the Man-cgi :
 MANCGI='http://leaf.dragonflybsd.org/cgi/web-man'
 
+# Regular expression pattern available as command name or section number
+# This should not contain characters which require shell escape
+re_command="[0-9a-zA-Z_.+[-]*"
+re_section="[0-9a-zA-Z]*"
+
 ### END OF CONFIGURATION SECTION ###############################################
 
 # Extract query info
 #
-COMMAND=`echo $QUERY_STRING | sed 's/.*command=//' | sed 's/&.*//'`
-SECTION=`echo $QUERY_STRING | sed 's/.*section=//' | sed 's/&.*//'`
-
-# Security filter
-#
-COMMAND=`echo $COMMAND | sed 's/\([0-9a-zA-Z,_,-]*\).*/\1/'`
-SECTION=`echo $SECTION | sed 's/\([0-9a-zA-Z,_,-]*\).*/\1/'`
-
-if [ $SECTION = "ANY" ] ; then
+COMMAND=`echo "$QUERY_STRING" | sed -n 's/^.*command=\('"$re_command"'\).*/\1/p'`
+SECTION=`echo "$QUERY_STRING" | sed -n 's/^.*section=\('"$re_section"'\).*/\1/p'`
+if [ x"$SECTION" = x"ANY" ] ; then
   SECTION=""
 fi;
 
 echo "Content-type: text/html"
 echo ""
-if [ "$COMMAND" != "" ] ; then
+if [ x"$COMMAND" != x"" ] ; then
   cat <<END
   <HTML>
   	<HEAD>
@@ -50,7 +49,7 @@
 	echo "<h3>Manual page could not be found, please try again.</h3>"
 fi
 
-  man "$SECTION" "$COMMAND" | \
+  man "$SECTION" "$COMMAND" 2>/dev/null | \
   sed \
           -e '/-$/N
 {




More information about the Bugs mailing list