summaryrefslogtreecommitdiffstats
path: root/cgi.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Make HTML tags lower case for better stylistic agreement with whatIngo Schwarze2016-04-151-96/+96
| | | | html.c does.
* In the architectures dropdown, move aviion, ia64, solbourne, and vaxIngo Schwarze2016-04-151-9/+9
| | | | down to the currently unsupported entries.
* If PATH_INFO contains a complete and correct path to a manual pageIngo Schwarze2016-04-151-2/+3
| | | | | | | | | file, for example "/OpenBSD-5.9/man2/pledge.2", no database query is needed and the file is delivered directly. But even in this case, let's parse the PATH_INFO and fill the query structure such that the search form at the top of the result page gets pre-filled with useful values.
* omit list of other results when there is only one matchIngo Schwarze2016-04-151-20/+23
|
* for .Xr links, use short PATH_INFO style URIsIngo Schwarze2016-04-141-6/+2
|
* do not rewrite short queriesIngo Schwarze2016-04-141-1/+4
|
* Give manuals in purely numerical sections priority over manuals ofIngo Schwarze2016-04-131-12/+14
| | | | | the same name in sections with an alphabetical suffix; same logic as in main.c rev. 1.264.
* Make the SCRIPT_NAME logic simpler, safer, and make it actually work;Ingo Schwarze2016-03-181-23/+15
| | | | | in part based on ideas by bentley@. While here, improve the documentation.
* make man(1) mode the default rather than apropos(1) modeIngo Schwarze2016-03-171-1/+2
|
* support short URIs for man.openbsd.orgIngo Schwarze2016-03-171-8/+68
|
* Don't retain the search query in the resulting manual links.Ingo Schwarze2016-01-041-55/+2
| | | | | Clean, simple URLs are best. Patch from bentley@.
* Modernization, no functional change intended:Ingo Schwarze2015-11-071-11/+22
| | | | | | Use the POSIX function getline(3) rather than the slightly dangerous BSD function fgetln(3). Remove the related compatibility code.
* Use include files "header.html" and "footer.html" rather than aIngo Schwarze2015-11-051-1/+19
| | | | | | | | | | | | | compiled-in string. This is not a security risk, we read the file manpath.conf from the same directory, anyway. No error handling is needed; even if the files are absent, that's not an error. This is more flexible without causing complication of the code or the user interface. It helps the upcoming revamp of the online manual pages on man.NetBSD.org. Based on an idea by Jean-Yves Migeon <jeanyves dot migeon at free dot fr>, but implemented in a much simpler way.
* Unify the three stylesheets into a single CSS file.Ingo Schwarze2015-11-051-4/+2
| | | | Many thanks to bentley@ for doing this work.
* use the new function man_validate() here, tooIngo Schwarze2015-10-221-1/+4
|
* In order to become able to generate syntax tree nodes on the roff(7)Ingo Schwarze2015-10-201-2/+4
| | | | | | | | level, validation must be separated from parsing and rewinding. This first big step moves calling of the mdoc(7) post_*() functions out of the parser loop into their own mdoc_validate() pass, while using a new mdoc_state() module to make syntax tree state handling available to both the parser loop and the validation pass.
* Major character table cleanup:Ingo Schwarze2015-10-131-7/+5
| | | | | | | | | | | | | * Use ohash(3) rather than a hand-rolled hash table. * Make the character table static in the chars.c module: There is no need to pass a pointer around, we most certainly never want to use two different character tables concurrently. * No need to keep the characters in a separate file chars.in; that merely encourages downstream porters to mess with them. * Sort the characters to agree with the mandoc_chars(7) manual page. * Specify Unicode codepoints in hex, not decimal (that's the detail that originally triggered this patch). No functional change, minus 100 LOC, and i don't see a performance change.
* modernize style: "return" is not a functionIngo Schwarze2015-10-061-18/+18
|
* Profit from the unified struct roff_man and reduce the number ofIngo Schwarze2015-04-181-6/+6
| | | | | arguments of mparse_result() by one. No functional change. Written on the ICE Bruxelles-Koeln on the way back from p2k15.
* Replace the structs mdoc and man by a unified struct roff_man.Ingo Schwarze2015-04-181-2/+2
| | | | | Almost completely mechanical, no functional change. Written on the train from Exeter to London returning from p2k15.
* Actually use the new man.conf(5) "output" directive.Ingo Schwarze2015-03-271-6/+7
| | | | Additional functionality, yet minus 45 lines of code.
* Parse the new man.conf(5) "output" directive.Ingo Schwarze2015-03-271-3/+3
| | | | The next step will be to actually use the parsed data.
* trim trailing white space, no code change;Ingo Schwarze2015-02-101-11/+11
| | | | from Svyatoslav Mishyn <juef at openmailboxd dot org>, Crux Linux
* Fatal errors no longer exist.Ingo Schwarze2015-01-151-10/+2
| | | | | | If a file can be opened, mandoc will produce some output; at worst, the output may be almost empty. Simplifies error handling and frees a message type for future use.
* Make the code sipler and more robust by always assigning a valueIngo Schwarze2014-11-261-11/+5
| | | | to q.manpath and dropping the (incomplete) later NULL checks.
* In man(1) mode without -a, stop searching after the first manual treeIngo Schwarze2014-11-111-0/+1
| | | | | that contained at least one match in order to not prefer mdoc(1) from ports over mdoc(7). As a bonus, this results in a speedup.
* Make the character table available to libroff so it can check theIngo Schwarze2014-10-281-2/+6
| | | | | | | | validity of character escape names and warn about unknown ones. This requires mchars_spec2cp() to report unknown names again. Fortunately, that doesn't require changing the calling code because according to groff, invalid character escapes should not produce output anyway, and now that we warn about them, that's fine.
* be a bit more patient, 1s is sometimes insufficient for legitimate queriesIngo Schwarze2014-10-071-2/+2
|
* Modify man.cgi to use HTML5.Kristaps Dzonsons2014-09-271-5/+2
|
* Support backslash-escaping of white space in the query expression,Ingo Schwarze2014-09-141-33/+32
| | | | | | to be more similar to apropos(1) called from the shell. Missing feature reported by Marcus MERIGHI <mcmer dash openbsd at tor dot at> on misc@.
* Sync section titles with OpenBSD.Ingo Schwarze2014-08-261-6/+6
| | | | | | | | | | For section 4, "Kernel Interfaces" is just too confusing, the difference from sections 2 and 9 is too hard to see. The 3p change was suggested by bluhm@; that part of the manual describes more modules than functions. Align the CGI section titles with the console section titles.
* limit CGI process execution time to make REDoS attacks less effective;Ingo Schwarze2014-08-211-0/+14
| | | | attack surface pointed out by Sebastien Marie
* Fully integrate apropos(1) into mandoc(1).Ingo Schwarze2014-08-171-3/+3
| | | | | | | | | Switch the argmode on the progname, including man(1). Provide -f and -k options to switch the argmode. Store the argmode inside struct search, generalizing the flags. Derive the deftype from the argmode when needed instead of storing it. Store the outkey inside struct search instead of passing it alone. While here, get rid of the trailing blanks in Makefile.depend.
* Get rid of HAVE_CONFIG_H, it is always defined; idea from libnbcompat.Ingo Schwarze2014-08-101-2/+2
| | | | | | Include <sys/types.h> where needed, it does not belong in config.h. Remove <stdio.h> from config.h; if it is missing somewhere, it should be added, but i cannot find a *.c file where it is missing.
* mansearch.h uses uint64_t, so it needs stdint.h; found on LinuxIngo Schwarze2014-08-051-0/+1
|
* Choosing the right encoding is a tricky business...Ingo Schwarze2014-07-251-34/+8
| | | | | | | | | | | | | | Printing query strings for URIs *always* needs URI-encoding, and when embedding the URI into an HTML document, it needs replacement of the "&" separators by "&amp;" *in addition to that*, not instead. Delete the function html_primtquery(), it was completely wrong. You can see the badness by entering "mandoc &sec=2" into the query input box before this patch and click "Submit". You come to the right page at first (...man.cgi?query=mandoc+%26sec%3D2&apropos=0&sec=0&...), but now the link to mandoc(1) is wrong: ...mandoc.1?query=mandoc &amp;sec=2&amp;... Clicking on that, the "&sec=2" disappears from the query input box and suddenly you have the first dropdown set to "2 - System Calls". Oops.
* Sort the URI keys for .Xr links in the same order used by the search form,Ingo Schwarze2014-07-251-7/+12
| | | | | and leave out the manpath when it is the default. For building the HTML formatter options, do not use a static buffer.
* oops, we must not try to validate a manpath we don't have;Ingo Schwarze2014-07-251-1/+2
| | | | fixing an oversight introduced in rev. 1.77
* We cannot easily control the order of the QUERY_STRING keys generatedIngo Schwarze2014-07-251-16/+18
| | | | | | | | | | | | by the search form, it's just the order of the fields in the form. Actually, that's not too bad; the generated URI resembles the generating form. To minimize confusion for people looking at URIs, give the keys in the same order when generating URIs for search listings and search redirections, the latter being used instead of search listings that would have only one single entry. Also, if the manpath is the default, remove it form the generated URIs.
* In generated .Xr links, avoid double encoding of ampersandsIngo Schwarze2014-07-251-1/+2
| | | | and avoid empty arch= keys.
* Even though this is not XHTML yet, remove some gratuitious violationsIngo Schwarze2014-07-251-11/+11
| | | | of XHTML syntax. Also add some cosmetic newlines to the HTML code.
* The names of all other struct query memebers match the correspondingIngo Schwarze2014-07-251-12/+16
| | | | | | QUERY_STRING keys, so rename "expr" to "query". Also add some missing function prototypes. No functional change.
* clean up pg_show() to not modify a string returned from getenv(3)Ingo Schwarze2014-07-251-14/+19
|
* Rewrite http_parse() completely:Ingo Schwarze2014-07-251-47/+102
| | | | | | | | | 1. Make sure the last occurrence of each key is used, even if it is empty, in which case it resets the value to the default. 2. When there is an HTTP encoding error, skip the affected key-value pair only, but not all subsequent key-value pairs. 3. Do not modify a string returned from getenv(3). 4. Do not assume the NULL pointer is all null bits.
* Sort result pages first by section number, then by name.Ingo Schwarze2014-07-241-11/+0
| | | | | | | | By moving the sort from cgi.c to mansearch.c, we get two advantages: Easier access to the data needed for sorting, in particular the section number, and the apropos(1) command line utility profits as well. Feature requested by deraadt@.
* Provide a dropdown entry "All Architectures" and make it the default.Ingo Schwarze2014-07-241-1/+25
| | | | | | | Still, amd64 remains the default in the following sense: If a man(1) mode search returns more than one page of the same name, prefer amd64 over other architectures for immediate display. ok deraadt@ daniel@
* Security fix to prevent XSS attacks:Ingo Schwarze2014-07-221-1/+41
| | | | | | | | Restrict the character set of strings passed into html_alloc(), in particular architecture names that come from the QUERY_STRING, but also SCRIPT_NAME and manpath.conf content for additional safety, and bail out safely on violations. Issue reported by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
* fix a minibug reported by kristaps@:Ingo Schwarze2014-07-211-5/+9
| | | | preserve manpath and arch in .Xr links
* Kristaps points out that the current HTTP/1.1 draft standard (RFCIngo Schwarze2014-07-211-2/+2
| | | | | | | | | | | | | | | | | | 2616) requires the Location: response-header field to be an absolute URI (14.30), and only the most recent proposed standard (RFC 7231), which is barely a month old, allows a relative Location: (7.1.2). While most modern browsers appear to support relative Location: headers, some may not, and it's maybe a bit early to rely on relative Location: headers. I'm not going back to the HTTP_HOST or SERVER_NAME CGI variables, though. While some CGI programs certainly require those, in which case both the CGI programmer and the web server admin have to be very careful to keep the system secure and reliable, man.cgi(8) does not really need them. We always know at compile time which domain we are running for, and for man.cgi(8), security and reliability are definitely much more important than flexibility. So make HTTP_HOST a compile-time definition for now.
* Security fix:Ingo Schwarze2014-07-191-4/+33
| | | | | | | | | | | Validate the manpath up front and report a Bad Request if it is not listed in manpath.conf, such that clients can't probe which directories exist on the server. In case of configuration errors, consistently report Internal Server Error without disclosing any further information. Partially based on a patch from Sebastien Marie <semarie-openbsd at latrappe dot fr>, but avoiding a couple of issues with that patch and approaching the issue in a somewhat more rigorous way.