Index: CHANGES =================================================================== RCS file: /disk2/cvs/webglimpse/CHANGES,v retrieving revision 1.9 retrieving revision 1.10 diff -r1.9 -r1.10 2c2,3 < --- > (***Logging is now done under CVS version control. See CHANGES.version_no file for a dump of recent > changes***) 176c177 < 12/14/98 Entered into cvs version control system! Revision is $Id: CHANGES,v 1.9 1999/06/20 06:46:33 gvelez Exp $ --- > 12/14/98 Entered into cvs version control system! Revision is $Id: CHANGES,v 1.10 1999/07/12 23:19:08 golda Exp $ 187a189 > ----- ALL CHANGES AFTER V1.6 ARE IN VERSION CONTROL FILES ------ Index: Makefile =================================================================== RCS file: /disk2/cvs/webglimpse/Makefile,v retrieving revision 1.6 retrieving revision 1.7 diff -r1.6 -r1.7 41a42,45 > hpux: > $(OSFCC) -D_HPUX_SOURCE -Aa -O -o lib/httpget lib/httpget.c > $(OSFCC) -D_HPUX_SOURCE -Aa -O -o lib/html2txt lib/html2txt.c > Index: confarc =================================================================== RCS file: /disk2/cvs/webglimpse/confarc,v retrieving revision 1.7 retrieving revision 1.8 diff -r1.7 -r1.8 47c47 < $REVISION='$Id: confarc,v 1.7 1999/01/07 22:43:12 gvelez Exp $'; --- > $REVISION='$Id: confarc,v 1.8 1999/09/14 02:53:56 golda Exp $'; 597c597,598 < # if(!-e "$indexdir/.$file"){ --- > # No - you'll kill people's existing configurations. --GB 6/19/99 > if(!-e "$indexdir/.$file"){ 599,602c600,603 < # copy it into $indexdir < print "Copying $file into $indexdir/.$file\n"; < system("cp $WEBGLIMPSE_DIST/$file $indexdir/.$file"); < chmod(0644, "$indexdir/.$file"); --- > # copy it into $indexdir > print "Copying $file into $indexdir/.$file\n"; > system("cp $WEBGLIMPSE_DIST/$file $indexdir/.$file"); > chmod(0644, "$indexdir/.$file"); 604c605 < # } --- > } Index: makenh =================================================================== RCS file: /disk2/cvs/webglimpse/makenh,v retrieving revision 1.13 retrieving revision 1.15 diff -r1.13 -r1.15 40c40 < $archivedir = $ARGV[0]; --- > $archivedir = $ARGV[0] || ''; 138c138 < if($archivedir eq "") { --- > if ($archivedir eq "") { 453a454,457 > > # Skip comments as per Mike Kay --GV > next if /^#/; > Index: cgi-bin/mfs =================================================================== RCS file: /disk2/cvs/webglimpse/cgi-bin/mfs,v retrieving revision 1.7 retrieving revision 1.8 diff -r1.7 -r1.8 16a17 > # Delete any quotes 18a20,26 > > # Escape backslashes and get rid of nul characters to be safe -- CV 9/11/99 > $indexdir =~ s/\\/\\\\/g; > $indexdir =~ s/\0//g; > $file =~ s/\\/\\\\/g; > $file =~ s/\0//g; > Index: cgi-bin/webglimpse =================================================================== RCS file: /disk2/cvs/webglimpse/cgi-bin/webglimpse,v retrieving revision 1.16 retrieving revision 1.18 diff -r1.16 -r1.18 70a71,74 > # CVS Revision > $REVISION = '$Id: webglimpse,v 1.18 1999/09/14 02:48:45 golda Exp $'; > > 201a206,209 > # the check for an insecure path won't work if there are backslashes before > # the dots. To the shell, '\.\.' is the same as '..' Need to escape backslashes > # first. -- CV 9/11/99 > $indexdir =~ s/\\/\\\\/g; 240d247 < 242a250,294 > > ##################################################################### > # Translate input syntax (if input module exists) *before* all security > # substitutions. There was a serious security hole in version 1.7.1 to 1.7.5 with > # ' -> '"'"' substitutions. -- CV 9/11/99 > > if ( -e $INPUT_SYNTAX) { > require $INPUT_SYNTAX; > $mInput = new InputSyntax; > } else { > $mInput = undef; > } > > # If we are asked to, use our new input filter > # TODO: check for optional hidden tag. > if (defined($mInput)) { > $QS_query = $mInput->translateQuery($QS_query); > } > > ################################################################ > # Now we do security substitutions to query. Later these should > # be put in a separate "security" module in case we need to do > # them to other strings. > > # Remove nul characters in the query. They could cause the shell to cut > # off part of the command line to glimpse. I found no exploit, but just in > # case. -- CV 9/11/99 > $QS_query =~ s|\0||g; > > # Make sure that glimpse won't confuse the query string with an option string. > # I found no exploit for this hole, but I feel better this way. > # A cleaner solution would be to implement the standard semantics of '--' in > # glimpse. That is, after a '--', all remaining command line arguments are > # never interpreted as options, regardless of whether they start with a dash. > # -- CV 9/11/99 > # Yes - people who actually want to query on a string beginning with a dash should > # comment out the following line. --GV 9/13/99 > $QS_query =~ s|^\-+||g; > > # Escape backslashes in the query. Fixes a serious security hole. -- CV 9/11/99 > $QS_query =~ s|\\|\\\\|g; > > # End security section for query variable. > ######################################################################## > 243a296 > 258c311,321 < $QS_filter =~ s/\./\\./g; --- > > ############################################################# > # Security section for QS_filter - TODO: pull out into module > # Get rid of nul characters (see comment above). -- CV 9/11/99 > $QS_filter =~ s/\0//g; > > # Need to escape backslashes, to be safe ... -- CV 9/11/99 > $QS_filter =~ s/\\/\\\\/g; > > $QS_filter =~ s/\./\\./g; # Question - do we need this line? > 259a323,333 > > # Make sure that glimpse won't confuse the filter with an option string. > # -- CV 9/11/99 > $QS_filter =~ s/^\-+//g; > > # End security section for QS_filter > ############################################################## > > $OPT_filter = ''; > $OPT_filter="-F '$QS_filter'" if $QS_filter; > 391,396c465,468 < if ( -e $INPUT_SYNTAX) { < require $INPUT_SYNTAX; < $mInput = new InputSyntax; < } else { < $mInput = undef; < } --- > # Moved test for input syntax module to an earlier place, because > # it is needed there. Unfortunately, can't move tests for all modules > # to the new place, because the output module depends on some > # query variables. -- CV 9/11/99 411,415c483,484 < # If we are asked to, use our new input filter < # TODO: check for optional hidden tag. < if (defined($mInput)) { < $QS_query = $mInput->translateQuery($QS_query); < } --- > # CV: This was the wrong place for input translation. It needs to be > # done before all security checks. Index: dist/wgfilter-index =================================================================== RCS file: /disk2/cvs/webglimpse/dist/wgfilter-index,v retrieving revision 1.8 retrieving revision 1.9 diff -r1.8 -r1.9 24d23 < Deny \? Index: lib/CustomOutputTool.pm =================================================================== RCS file: /disk2/cvs/webglimpse/lib/CustomOutputTool.pm,v retrieving revision 1.8 retrieving revision 1.10 diff -r1.8 -r1.10 6a7,8 > $REVISION = '$Id $'; > 214,215c216,217 < my $key; < --- > my ($key, $pat); > $_ = $filename; 217,219c219,220 < < ($filename =~ /$OutputFieldPathDefs{$key}/) && ($OutputVars{$key} = $1); < --- > $pat = $OutputFieldPathDefs{$key} || next; > /$pat/ && ($OutputVars{$key} = $1); 226,227c227,228 < < /$OutputFieldFileDefs{$key}/ && ($OutputVars{$key} = $1); --- > $pat = $OutputFieldFileDefs{$key} || next; > /$pat/ && ($OutputVars{$key} = $1); 447a449,451 > # Strip any leading '/' from indexdir (as per Charlie Roche) --GV 9/13/99 > $indexdir =~ s/^\/+//; > 463a468,470 > > # Strip any leading '/' from indexdir (as per Charlie Roche) --GV 9/13/99 > $indexdir =~ s/^\/+//; Index: lib/OutputTool.pm =================================================================== RCS file: /disk2/cvs/webglimpse/lib/OutputTool.pm,v retrieving revision 1.7 retrieving revision 1.8 diff -r1.7 -r1.8 103a104,109 > sub makeEndFileDesc { > my $self = shift; > > my $retstring = $self->{end_file_marker}; > return $retstring; > } Index: lib/URL.pl =================================================================== RCS file: /disk2/cvs/webglimpse/lib/URL.pl,v retrieving revision 1.7 retrieving revision 1.8 diff -r1.7 -r1.8 48c48 < $userstring = $1; --- > $userstring = $1 || ''; # Correct uninitialized variable warning as per Seth Chaiklin --GV 9/13/99 Index: lib/parsefields.pl =================================================================== RCS file: /disk2/cvs/webglimpse/lib/parsefields.pl,v retrieving revision 1.3 retrieving revision 1.4 diff -r1.3 -r1.4 12a13,14 > $debug = 0; > 24,27c26 < warn("Parsefields read FIELDS: $fields\n"); < open(F, ">/tmp/PF"); < print F "Parsefields RAN and read FIELDS $fields \n"; < close F; --- > $debug && warn("Parsefields read FIELDS: $fields\n"); Index: lib/siteconf.pl =================================================================== RCS file: /disk2/cvs/webglimpse/lib/siteconf.pl,v retrieving revision 1.8 retrieving revision 1.9 diff -r1.8 -r1.9 13c13,16 < $DirectoryIndex=""; --- > # Changed to array as per Seth Chaiklin - we need store all possible values! > #$DirectoryIndex=""; > @IndexFiles=(); > 82,93c85,90 < # Added as per j. holler's suggestion. --GB 10/16/97 < # Get the whole list of possible filenames < @DirList = split(/\s/); < $j = 1; < # Check we got a valid one (could be a .cgi or other non-html) < while ( ($DirectoryIndex !~ /[hH][tT][mM].*/) && ($j < @DirList)) { < $DirectoryIndex = $DirList[$j]; < $j++; < } < # If we don't think any are valid, go back to the first one < if ($DirectoryIndex !~ /[hH][tT][mM].*/) { < $DirectoryIndex = $DirList[1]; --- > # Keep ALL valid DirectoryIndex settings --GV 9/13/99 > my $dirindex; > foreach $dirindex (split(/\s/,$DirectoryIndex)) { > if ($dirindex !~ /[hH][tT][mM].*/) { > push @IndexFiles $dirindex; > } 95a93 > 116,117c114,117 < if (!defined($DirectoryIndex) || ($DirectoryIndex eq "")) { < $DirectoryIndex = "index.html"; --- > > # Make sure we have at least one candidate for the index file > if (@IndexFiles ==0) { > push @IndexFiles 'index.html'; 291,294d290 < if ($path =~ /\/$/) { < $path .= "$DirectoryIndex"; < } < 317c313 < # if it's a directory, add /index.html --- > # if it's a directory, try adding an index file 321c317,325 < $retstring = $retstring.$DirectoryIndex; --- > > my $indexfile; > > DIRINDEX: foreach $indexfile (@IndexFiles) { > if ( -e "$retstring.$indexfile") { > $retstring .= $indexfile; > last DIRINDEX; > } > } 324c328 < # Get rid of // sequences --- > # Get rid of // sequences and any trailing / 325a330 > $retstring =~ s/\/$//g;