Index: head/www/cgihtml/files/patch-cgi-lib.c
===================================================================
--- head/www/cgihtml/files/patch-cgi-lib.c	(revision 415037)
+++ head/www/cgihtml/files/patch-cgi-lib.c	(revision 415038)
@@ -1,120 +1,159 @@
 Index: cgi-lib.c
 ===================================================================
 RCS file: /home/cvs/ringlet/c/contrib/www/cgihtml/cgi-lib.c,v
 retrieving revision 1.1.1.1
 retrieving revision 1.6
 --- cgi-lib.c.orig	1998-05-04 02:12:52 UTC
 +++ cgi-lib.c
 @@ -17,6 +17,10 @@
  
  #ifdef WINDOWS
  #include <io.h>
 +#define mktemp	_mktemp
 +#define snprintf	_snprintf
 +#else
 +#include <unistd.h>
  #endif
  
  #include "cgi-lib.h"
 @@ -87,11 +91,11 @@ char *get_DEBUG()
  
  char *get_POST()
  {
 -  unsigned int content_length;
 +  size_t content_length;
    char *buffer;
  
    if (CONTENT_LENGTH != NULL) {
 -    content_length = atoi(CONTENT_LENGTH);
 +    content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10);
      buffer = (char *)malloc(sizeof(char) * content_length + 1);
      if (fread(buffer,sizeof(char),content_length,stdin) != content_length) {
        /* consistency error. */
+@@ -181,7 +185,7 @@ int parse_CGI_encoded(llist *entries, ch
+ 
+ /* stolen from k&r and seriously modified to do what I want */
+ 
+-int getline(char s[], int lim)
++int get_line(char s[], int lim)
+ {
+   int c, i=0, num;
+ 
 @@ -202,7 +206,7 @@ int getline(char s[], int lim)
  
  int parse_form_encoded(llist* entries)
  {
 -  long content_length;
 +  size_t content_length, fnsize;
    entrytype entry;
    node* window;
    FILE *uploadfile;
 @@ -220,7 +224,7 @@ int parse_form_encoded(llist* entries)
    _fmode = BINARY;                    /* default all file I/O as binary */
  #endif
    if (CONTENT_LENGTH != NULL)
 -    content_length = atol(CONTENT_LENGTH);
 +    content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10);
    else
      return 0;
    /* get boundary */
+@@ -231,9 +235,9 @@ int parse_form_encoded(llist* entries)
+   list_create(entries);
+   window = entries->head;
+   /* ignore first boundary; this isn't so robust; improve it later */
+-  getline(buffer,BUFSIZ);
++  get_line(buffer,BUFSIZ);
+   /* now start parsing */
+-  while ((bytesread=getline(buffer,BUFSIZ)) != 0) {
++  while ((bytesread=get_line(buffer,BUFSIZ)) != 0) {
+     start = 1;
+     /* this assumes that buffer contains no binary characters.
+        if the buffer contains the first valid header, then this
 @@ -241,14 +245,20 @@ int parse_form_encoded(llist* entries)
         robustness sake. */
      buffer[bytesread] = '\0';
      tempstr = newstr(buffer);
 -    tempstr += (sizeof(char) * 38); /* 38 is header up to name */
 -    entry.name = tempstr;
 +    entry.name = strstr(tempstr, "name=\"");
 +    if (entry.name == NULL) {
 +      free(tempstr);
 +      return 0;
 +    }
 +    entry.name += 6;
 +    if (strchr(entry.name, '"') == NULL) {
 +      free(tempstr);
 +      return 0;
 +    }
 +    *strchr(entry.name, '"') = '\0';
      entry.value = (char *)malloc(sizeof(char) * BUFSIZ + 1);
      buffersize = BUFSIZ;
      strcpy(entry.value,"");
 -    while (*tempstr != '"')
 -      tempstr++;
 -    *tempstr = '\0';
      if (strstr(buffer,"filename=\"") != NULL) {
        isfile = 1;
        tempstr = newstr(buffer);
 @@ -258,9 +268,9 @@ int parse_form_encoded(llist* entries)
  	entry.value = (char *) realloc(entry.value, sizeof(char) *
  				       strlen(tempstr)+1);
        entry.value = tempstr;
 -      while (*tempstr != '"')
 -	tempstr++;
 -      *tempstr = '\0';
 +      if (strchr(tempstr, '"') == NULL)
 +        return 0;
 +      *strchr(tempstr, '"') = '\0';
        /* Netscape's Windows browsers handle paths differently from its
  	 UNIX and Mac browsers.  It delivers a full path for the uploaded
  	 file (which it shouldn't do), and it uses backslashes rather than
 @@ -275,13 +285,12 @@ int parse_form_encoded(llist* entries)
        }
        window = list_insafter(entries,window,entry);
        numentries++;
 -      uploadfname = (char *)malloc(strlen(UPLOADDIR)+strlen(entry.value)+2);
 -#ifdef WINDOWS
 -      sprintf(uploadfname,"%s\\%s",UPLOADDIR,entry.value);
 -#else
 -      sprintf(uploadfname,"%s/%s",UPLOADDIR,entry.value);
 -#endif
 -      if ( (uploadfile = fopen(uploadfname,"w")) == NULL) {
 +      fnsize = strlen(UPLOADDIR) + 30;
 +      uploadfname = (char *)malloc(fnsize);
 +      snprintf(uploadfname,fnsize,"%s/cgihtml-upload-XXXXXX",UPLOADDIR);
 +      uploadfname[fnsize - 1] = '\0';
 +      if (mktemp(uploadfname) == NULL ||
 +          (uploadfile = fopen(uploadfname,"w")) == NULL) {
  	/* null filename; for now, just don't save info.  later, save
  	   to default file */
  	isfile = 0;
+@@ -290,7 +299,7 @@ int parse_form_encoded(llist* entries)
+     else
+       isfile = 0;
+     /* ignore rest of headers and first blank line */
+-    while (getline(buffer, BUFSIZ) > 1) {
++    while (get_line(buffer, BUFSIZ) > 1) {
+       /* DOS style blank line? */
+       if ((buffer[0] == '\r') && (buffer[1] == '\n'))
+ 	break;
+@@ -298,7 +307,7 @@ int parse_form_encoded(llist* entries)
+     done = 0;
+     j = 0;
+     while (!done) {
+-      bytesread = getline(buffer,BUFSIZ);
++      bytesread = get_line(buffer,BUFSIZ);
+       buffer[bytesread] = '\0';
+       if (bytesread && strstr(buffer,boundary) == NULL) {
+ 	if (start) {
 @@ -529,9 +538,9 @@ int parse_cookies(llist *entries)
    int numcookies = 0;
    short NM = 1;
  
 +  list_create(entries);
    if (cookies == NULL)
      return 0;
 -  list_create(entries);
    window = entries->head;
    len = strlen(cookies);
    entry.name = (char *)malloc(sizeof(char) * len + 1);