home readme diff tree note docs

0commit fec08c85f225c1cc20042720778823b18c007568
1Author: lakefox <mason@lakefox.net>
2Date:   Sat Jan 31 12:11:07 2026 -0700
3
4    Sanitization
5
6diff --git a/cgi-bin/git.awk b/cgi-bin/git.awk
7index 6175b18..a65f006 100755
8--- a/cgi-bin/git.awk
9+++ b/cgi-bin/git.awk
10@@ -8,13 +8,13 @@ BEGIN {
11                 split(pairs[i], kv, "=")
12 
13                 if (kv[1] == "action") {
14-                        action = kv[2]
15+                        action = sanitize(kv[2])
16                 } else if (kv[1] == "name") {
17-                        name = kv[2]
18+                        name = sanitize(kv[2])
19                 } else if (kv[1] == "hash") {
20-                        hash = kv[2]
21+                        hash = sanitize(kv[2])
22                 } else if (kv[1] == "path") {
23-                        path = kv[2]
24+                        path = sanitize(kv[2])
25                 }
26         }
27 
28@@ -167,3 +167,13 @@ function escape_html(str) {
29     return str
30 }
31 
32+function sanitize(str) {
33+    # Remove any character that isn't a letter, number, dot, dash, or underscore
34+    # This prevents shell metacharacters like ; | & $ > < ( ) from reaching the shell
35+    gsub(/[^a-zA-Z0-9.\/_-]/, "", str)
36+    
37+    # Prevent Directory Traversal (e.g., ../../../etc/passwd)
38+    gsub(/\.\./, "", str)
39+    
40+    return str
41+}
42diff --git a/cgi-bin/mailto.awk b/cgi-bin/mailto.awk
43index b86f39f..28d0040 100755
44--- a/cgi-bin/mailto.awk
45+++ b/cgi-bin/mailto.awk
46@@ -48,14 +48,14 @@ BEGIN {
47 		split(pairs[i], kv, "=")
48 
49 		if (kv[1] == "action") {
50-			action = kv[2]
51+			action = sanitize(kv[2])
52 		} else if (kv[1] == "view") {
53-			view = kv[2]
54+			view = sanitize(kv[2])
55 		} else if (kv[1] == "email") {
56-			email = kv[2]
57+			email = sanitize(kv[2])
58 			gsub(/\%40/, "@", email)
59 		} else if (kv[1] == "list") {
60-			list = tolower(kv[2])
61+			list = tolower(sanitize(kv[2]))
62 			gsub(/\%2f/, "/", list)
63 		}
64 	}
65@@ -268,3 +268,13 @@ function getThreads(username, password, inbox) {
66 	}
67 
68 }
69+function sanitize(str) {
70+    # Remove any character that isn't a letter, number, dot, dash, or underscore
71+    # This prevents shell metacharacters like ; | & $ > < ( ) from reaching the shell
72+    gsub(/[^a-zA-Z0-9.\/_-]/, "", str)
73+
74+    # Prevent Directory Traversal (e.g., ../../../etc/passwd)
75+    gsub(/\.\./, "", str)
76+
77+    return str
78+}