Security hole in multipart.cgi.in, w3mman2html.cgi.in

From: Hironori Sakamoto <h-saka@lsi.nec.co.jp>

scripts/multipart/multipart.cgi.in

@@ -25,7 +25,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 	$CGI = "file:///\$LIB/multipart.cgi?file=" . &html_quote($file);
 }
 
-open(F, $file);
+open(F, "< $file");
 $end = 0;
 $mbody = '';
 if (defined($boundary)) {
@@ -258,7 +258,7 @@ sub load_mime_type {
 	local($file) = @_;
 	local(%m, $a, @b, $_);
 
-	open(M, $file) || return ();
+	open(M, "< $file") || return ();
 	while(<M>) {
 		/^#/ && next;
 		chop;

scripts/w3mhelp.cgi.in

@@ -1,5 +1,5 @@
 #!@PERL@
-# $Id: w3mhelp.cgi.in,v 1.3 2001/12/02 13:16:29 ukai Exp $
+# $Id: w3mhelp.cgi.in,v 1.4 2001/12/21 18:33:41 ukai Exp $
 
 $helpdir = "@HELP_DIR@";
 unshift(@INC, $helpdir);
@@ -29,7 +29,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 	$tlang =~ s/\+|%([0-9A-Fa-f][0-9A-Fa-f])/$& eq '+' ? ' ' : pack('C', hex($1))/ge;
 	$tlang =~ tr/A-Z/a-z/;
 	print "tlang=$tlang\n";
-	eval qq{require "w3mhelp-funcdesc.$tlang.pl"};
+	eval {require "w3mhelp-funcdesc.$tlang.pl";};
 	if (defined(%funcdesc)) {
 	    $lang = $tlang;
 	}
@@ -37,7 +37,7 @@ if (defined($ENV{'QUERY_STRING'})) {
 }
 
 if (-f $keymap) {
-    open(KEYMAP, $keymap) || die "cannot open keymap: $keymap, $!";
+    open(KEYMAP, "< $keymap") || die "cannot open keymap: $keymap, $!";
     &load_keymap(*KEYMAP, $func);
     close(KEYMAP);
 }

scripts/w3mman/w3mman2html.cgi.in

@@ -31,7 +31,7 @@ Content-Type: text/html
 <h2>man -k <b>$k</b></h2>
 <ul>
 EOF
-    $keyword =~ s:([^\w./]):\\$1:g;
+    $keyword =~ s:([^-\w\200-\377.,])::g;
     open(F, "$MAN -k $keyword 2> /dev/null |");
     @line = ();
     while(<F>) {
@@ -82,8 +82,8 @@ if ($man =~ s/\((\w+)\)$//) {
   $man_section = "$man";
 }
 
-$section =~ s:([^\w./]):\\$1:g;
-$man =~ s:([^\w./]):\\$1:g;
+$section =~ s:([^-\w\200-\377.,])::g;
+$man =~ s:([^-\w\200-\377.,])::g;
 open(F, "$MAN $section $man 2> /dev/null |");
 $ok = 0;
 undef $header;