More thoroughly reject direct access to unintended files, such that

URIs like http://man.openbsd.org/OpenBSD-current/mandoc.db and http://man.openbsd.org/OpenBSD-current/man1/ do not cause display of garbage.
author: Ingo Schwarze <schwarze@openbsd.org> 2017-04-19 01:00:03 +0000
committer: Ingo Schwarze <schwarze@openbsd.org> 2017-04-19 01:00:03 +0000
commit: b6c38ba54b141f508c5d22eb714a3e7c79a6c33c (patch)
tree: c5b7095435cb2725c14cc07b85b4e87d13fa6737
parent: 0a01aecfc2a95af2e7c4a4cba60c688fed82d9d4 (diff)
download: mandoc-b6c38ba54b141f508c5d22eb714a3e7c79a6c33c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/cgi.c b/cgi.c
index 614d2107..46b82435 100644
--- a/cgi.c
+++ b/cgi.c
@@ -1073,7 +1073,8 @@ main(void)
 
 	if (*path != '\0') {
 		parse_path_info(&req, path);
-		if (req.q.manpath == NULL || access(path, F_OK) == -1)
+		if (req.q.manpath == NULL || req.q.sec == NULL ||
+		    *req.q.query == '\0' || access(path, F_OK) == -1)
 			path = "";
 	} else if ((querystring = getenv("QUERY_STRING")) != NULL)
 		parse_query_string(&req, querystring);
author	Ingo Schwarze <schwarze@openbsd.org>	2017-04-19 01:00:03 +0000
committer	Ingo Schwarze <schwarze@openbsd.org>	2017-04-19 01:00:03 +0000
commit	b6c38ba54b141f508c5d22eb714a3e7c79a6c33c (patch)
tree	c5b7095435cb2725c14cc07b85b4e87d13fa6737
parent	0a01aecfc2a95af2e7c4a4cba60c688fed82d9d4 (diff)
download	mandoc-b6c38ba54b141f508c5d22eb714a3e7c79a6c33c.tar.gz