[Mono-docs-list] Web based Monodoc
Philippe Desaulniers
filou@histrion.org
08 Jul 2003 21:22:51 -0400
--=-UAtTXuPF0AjF393zr/c3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hello,
On Tue, 2003-07-08 at 12:46, Miguel de Icaza wrote:
> I want to join everyone who has congratulated you on this hack. It is
> really nice.
Thanks.
> I would love to host this on mono.ximian.com, but I have never written
> cgi web pages, and I would love someone with cgi experience to explore
> any potential security holes in the cgi script.
I'm including a slightly revised and hopefully more robust version
of the CGI script. It will refuse any query containing characters
that can't come up in a MonoDoc URL. AFAIK this should be safe, but
I'd certainly like to have a peer opinion before removing the "not for
production" sign.
Also, monodoc itself needs to treat the passed URL sensibly, which at
the moment I can only assume it is doing.
> I do not have a particular preference over using the XSLT inside
> Monodoc, or outside Monodoc. The approach suggest by Joshua minimizes
> the code we have to maintain in browser.cs, so that is a plus. The
> downside is that it is not as self-contained as what we have now.
I'd favor using the Mono Xslt processor at the very least. I for one
don't have XML::LibXSLT installed, it just seems that using it would
add up useless dependencies (a similar case could be made for not
using Perl in the first place :) ).
To alleviate increasing the complexity in browser.cs, I propose adding
a separate class to generate www output. It will still add code to
maintain in the browser.exe assembly, but perhaps make it a bit cleaner.
I'll email the new version a bit later (in diff -u format ;) ), after
that if all agree let me know if and how I can commit the code...
> You mean the tree view on the right? You might want to look at the
> "dump.cs" program in Monodoc which is a simple program to dump the
> tree.
That was what I meant, thanks.
'later
phil
--=-UAtTXuPF0AjF393zr/c3
Content-Disposition: attachment; filename=monodoc.cgi
Content-Type: text/x-perl; name=monodoc.cgi; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
#!/usr/bin/perl
#
# monodoc.cgi: Perl usage example of the --www option of the monodoc browser.
#
# Author: Philippe Desaulniers (filou@histrion.org)
#
# Remarks: This is just a quick hack until a more elaborate ASP.NET integration
# of monodoc is developed, and is not intended for production use...
#
$query = $ENV{QUERY_STRING};
print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<title>Monodoc Documentation Browser</title>\n";
print "</head>\n";
print "<body>\n";
#
# Validate query: a MonoDoc URL can contain lower/upper alpha, numeric, ':' '.' ',' '/' '*' '-' '_' '(' ')'
#
# Remarks: validation here is strictly for CGI security purposes, monodoc will validate that the URL
# is well-formed and meaningful.
#
if ($query =~ m/^[a-zA-Z0-9:.,\/\*\-_()]+$/) {
system("monodoc --www 'monodoc.cgi?' '$query'");
}
else {
print ("<p>Invalid Query</p>\n");
}
print "</body>\n";
print "</html>\n";
--=-UAtTXuPF0AjF393zr/c3--