Reporter: Prentiss Riddle <riddle@rice.edu> Thu Apr 18 11:10:35 1996

This is an enhancement, not a bug fix.

In order to let my users customize their WWWWAIS forms, I've made a
couple of minor changes to wwwwais25.c to permit the PageTitle variable
to be specified through the CGI interface and not restrict them to a
one-size-fits-all value in the config file.

This raises a small security point: if WWWWAIS believes the CGI
environment about where to look for the PageTitle file, it could be
used by bad guys to prowl restricted areas on the local file system.
My solution is to make WWWWAIS look for a "cookie" in the first line
of the PageTitle file permitting its redistribution, if and only if
PageTitle is set via the CGI interface.  This "cookie" solution is not
as elegant as I would like, but it's a workable one that I have used in
similar situations with other gateway software.

My user documentation about how to create WWWWAIS forms, including an
explanation of the "cookie", is at:

	http://riceinfo.rice.edu/sw/swish/#wwwwais

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
--------------------------------------------------------------------------

*** wwwwais.25.c.orig	Thu Mar 21 11:15:52 1996
--- wwwwais.25r.c.diff	Thu Apr 18 10:48:51 1996
***************
*** 19,24 ****
--- 19,26 ----
  ** 2.42: <string.h>, *duh*..., WWWW_SELECTION.
  ** 2.5 : SWISH support added, TIMEOUT value, realbytes deleted, negative
  **       line info not printed, selection fix.
+ ** 2.5r: Permit PageTitle to be set via CGI interface.
+ **       Prentiss Riddle, riddle@rice.edu, 1996.04.18
  **
  ** Thanks to Andrew Williams, Christian Bartholdsson, Enzo Michelangeli,
  ** Achim Jung, Alexander Gagin, Jim Robb, and many others for good
***************
*** 40,46 ****
  #include <signal.h>
  #include <string.h>
  
! #define VERSION "2.5"
  #define WAISTITLE "WAIS Gateway"
  #define VERSTITLE "WAIS Gateway Version Information"
  #define DOCURL "http://www.eit.com/software/wwwwais/wwwwais.html"
--- 42,48 ----
  #include <signal.h>
  #include <string.h>
  
! #define VERSION "2.5r"
  #define WAISTITLE "WAIS Gateway"
  #define VERSTITLE "WAIS Gateway Version Information"
  #define DOCURL "http://www.eit.com/software/wwwwais/wwwwais.html"
***************
*** 66,71 ****
--- 68,75 ----
  #define USEICONSTXT "useicons="
  #define DESCTXT "getdesc="
  #define DOCNUMTXT "docnum="
+ #define PAGETITLETXT "pagetitle="
+ #define TITLECOOKIE "GatewayMayRedistribute"
  #define NO_ICON "no icon"
  #define NO_DESC "(No description)"
  #define NO_SELECT "none"
***************
*** 131,137 ****
  
  int use_icons, indexsources,
  	no_options, use_selection,
! 	docnum, version;
  int skip[MAXSTRLEN];
  static char query_string[MAXSTRLEN],
  	sorttype[MAXSTRLEN],
--- 135,141 ----
  
  int use_icons, indexsources,
  	no_options, use_selection,
! 	docnum, version, title_from_cgi;
  int skip[MAXSTRLEN];
  static char query_string[MAXSTRLEN],
  	sorttype[MAXSTRLEN],
***************
*** 174,179 ****
--- 178,184 ----
  	use_icons = 0;
  	use_selection = 0;
  	indexsources = 0;
+ 	title_from_cgi = 0;
  	docnum = -1;
  
  	signal(SIGSEGV, badsegviol);
***************
*** 255,260 ****
--- 260,273 ----
  		strcpy(keywords, "");
  	if ((p = (char *) getenv("WWWW_KEYWORDS")) != NULL)
  		strcpy(keywords, p);
+ 	if ((p = (char *) getvalue(PAGETITLETXT, pagetitle)) != NULL) {
+ 		strcpy(pagetitle, p);
+ 		title_from_cgi = 1;
+ 	}
+ 	if ((p = (char *) getenv("WWWW_PAGETITLE")) != NULL) {
+ 		strcpy(pagetitle, p);
+ 		title_from_cgi = 1;
+ 	}
  
  /* If there is a pop-up selection, these variables (host, port, etc.)
  ** are overridden.
***************
*** 403,409 ****
          printf("Content-type: text/html\n\n");
  
  	if (lstrstr(pagetitle, ".html")) {
! 		if ((fp = fopen(pagetitle, "r")) != NULL) {
  			while (fgets(line, MAXSTRLEN, fp) != NULL)
  				printf("%s", line);
  			fclose(fp);
--- 416,433 ----
          printf("Content-type: text/html\n\n");
  
  	if (lstrstr(pagetitle, ".html")) {
! 		/* Whew!  This gets complex.  We want to prevent bad
! 		 * guys from probing our site by specifying access-
! 		 * restricted files as the PageTitle.  We do this by
! 		 * using the contents of the PageTitle file only if it
! 		 * came from the wwwwais config file (not the CGI
! 		 * interface) or if its first line contains a cookie
! 		 * string telling us it's okay. -- PR
! 		 */
! 		if (((fp = fopen(pagetitle, "r")) != NULL) &&
! 		    (!title_from_cgi ||
! 		    ((fgets(line, MAXSTRLEN, fp) != NULL) &&
! 		    (strstr(line, TITLECOOKIE) != NULL)))) {
  			while (fgets(line, MAXSTRLEN, fp) != NULL)
  				printf("%s", line);
  			fclose(fp);
***************
*** 1136,1141 ****
--- 1160,1168 ----
  	if (no_options)
  		printf("<input type=hidden name=selection value=\"%s\">\n",
  		NO_SELECT);
+ 	if (title_from_cgi)
+ 		printf("<input type=hidden name=pagetitle value=\"%s\">\n",
+ 		pagetitle);
          printf("</form><hr>\n");
  }