summaryrefslogtreecommitdiffstats
path: root/man.cgi.8
Commit message (Collapse)AuthorAgeFilesLines
* typo; noticed by jmc@ some time agoIngo Schwarze2014-08-221-1/+1
|
* Security fix to prevent XSS attacks:Ingo Schwarze2014-07-221-0/+38
| | | | | | | | Restrict the character set of strings passed into html_alloc(), in particular architecture names that come from the QUERY_STRING, but also SCRIPT_NAME and manpath.conf content for additional safety, and bail out safely on violations. Issue reported by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
* Kristaps points out that the current HTTP/1.1 draft standard (RFCIngo Schwarze2014-07-211-0/+5
| | | | | | | | | | | | | | | | | | 2616) requires the Location: response-header field to be an absolute URI (14.30), and only the most recent proposed standard (RFC 7231), which is barely a month old, allows a relative Location: (7.1.2). While most modern browsers appear to support relative Location: headers, some may not, and it's maybe a bit early to rely on relative Location: headers. I'm not going back to the HTTP_HOST or SERVER_NAME CGI variables, though. While some CGI programs certainly require those, in which case both the CGI programmer and the web server admin have to be very careful to keep the system secure and reliable, man.cgi(8) does not really need them. We always know at compile time which domain we are running for, and for man.cgi(8), security and reliability are definitely much more important than flexibility. So make HTTP_HOST a compile-time definition for now.
* Do not use the HTTP_HOST CGI variable,Ingo Schwarze2014-07-181-5/+0
| | | | | | | | just make the HTTP redirect Location: relative. Less user input is good, it reduces the attack surface. Besides, this removes one global variable and 4 lines of code. Patch from Sebastien Marie <semarie-openbsd at latrappe dot fr>.
* Compatibility hack for the old "manpath=OpenBSD<blank>" query parameter format;Ingo Schwarze2014-07-131-21/+56
| | | | | unfortunate, more than 400 links needing this are scattered all around the www.openbsd.org website, and CVSweb needs this as well.
* Install the manuals of the web interface below the same directoryIngo Schwarze2014-07-131-0/+4
| | | | | | | | as manpath.conf, such that we do not need to mix our own documentation into the documentation we are serving, which may not even be possible if the latter is updated automatically. Based on an idea by beck@.
* update after recent code changesIngo Schwarze2014-07-131-56/+56
|
* Polish the search form using feedback from beck@ and others,Ingo Schwarze2014-07-121-1/+1
| | | | in particular introduce a section dropdown and an architecture dropdown.
* add HISTORY sectionIngo Schwarze2014-07-111-0/+8
|
* Full rewrite of the man.cgi(8) manual.Ingo Schwarze2014-07-101-0/+324
Almost everything in the old man.cgi(7) was outdated in one way or another - catman, catman.conf, CACHE_DIR, /cache, manroots, replacing '/' with spaces, /tmp... Instead, document the HTML and URI interfaces, the output and the setup, and complete the listings of ENVIRONMENT variables and FILES. Using section 8 instead of section 7 because that's the usual place for CGI programs, see for example bgplg(8) and slowcgi(8).