[Mono-docs-list] Web based Monodoc

Philippe Desaulniers filou@histrion.org
08 Jul 2003 21:22:51 -0400


--=-UAtTXuPF0AjF393zr/c3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

On Tue, 2003-07-08 at 12:46, Miguel de Icaza wrote:
> I want to join everyone who has congratulated you on this hack.  It is
> really nice.

Thanks.

> I would love to host this on mono.ximian.com, but I have never written
> cgi web pages, and I would love someone with cgi experience to explore
> any potential security holes in the cgi script.

I'm including a slightly revised and hopefully more robust version
of the CGI script. It will refuse any query containing characters 
that can't come up in a MonoDoc URL. AFAIK this should be safe, but
I'd certainly like to have a peer opinion before removing the "not for
production" sign.

Also, monodoc itself needs to treat the passed URL sensibly, which at 
the moment I can only assume it is doing.

> I do not have a particular preference over using the XSLT inside
> Monodoc, or outside Monodoc.  The approach suggest by Joshua minimizes
> the code we have to maintain in browser.cs, so that is a plus.  The
> downside is that it is not as self-contained as what we have now.

I'd favor using the Mono Xslt processor at the very least. I for one 
don't have XML::LibXSLT installed, it just seems that using it would 
add up useless dependencies (a similar case could be made for not 
using Perl in the first place :) ).

To alleviate increasing the complexity in browser.cs, I propose adding
a separate class to generate www output. It will still add code to
maintain in the browser.exe assembly, but perhaps make it a bit cleaner.

I'll email the new version a bit later (in diff -u format ;) ), after
that if all agree let me know if and how I can commit the code...

> You mean the tree view on the right?  You might want to look at the
> "dump.cs" program in Monodoc which is a simple program to dump the
> tree.

That was what I meant, thanks.

'later

phil


--=-UAtTXuPF0AjF393zr/c3
Content-Disposition: attachment; filename=monodoc.cgi
Content-Type: text/x-perl; name=monodoc.cgi; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

#!/usr/bin/perl
#
#  monodoc.cgi: Perl usage example of the --www option of the monodoc browser.
# 
#  Author: Philippe Desaulniers (filou@histrion.org)
# 
#  Remarks: This is just a quick hack until a more elaborate ASP.NET integration 
#           of monodoc is developed, and is not intended for production use...
#

$query = $ENV{QUERY_STRING};

print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<title>Monodoc Documentation Browser</title>\n";
print "</head>\n";
print "<body>\n";

#
# Validate query: a MonoDoc URL can contain lower/upper alpha, numeric, ':' '.' ',' '/' '*' '-' '_' '(' ')'
# 
# Remarks: validation here is strictly for CGI security purposes, monodoc will validate that the URL
#          is well-formed and meaningful.
#

if ($query =~ m/^[a-zA-Z0-9:.,\/\*\-_()]+$/) {

	system("monodoc --www 'monodoc.cgi?' '$query'");
}

else {
	print ("<p>Invalid Query</p>\n");
}

print "</body>\n";
print "</html>\n";

--=-UAtTXuPF0AjF393zr/c3--