Checking validity of coqdoc file name.

This fixes #12265 (javascript injection vulnerability in file name).

3 files changed, 5 insertions, 2 deletions

diff --git a/doc/tools/coqrst/coqdoc/main.py b/doc/tools/coqrst/coqdoc/main.py
index de0d912c03..522b9900a5 100644
--- a/doc/tools/coqrst/coqdoc/main.py
+++ b/doc/tools/coqrst/coqdoc/main.py
@@ -36,7 +36,7 @@ COQDOC_HEADER = "".join("(** remove printing {} *)".format(s) for s in COQDOC_SY
 def coqdoc(coq_code, coqdoc_bin=None):
     """Get the output of coqdoc on coq_code."""
     coqdoc_bin = coqdoc_bin or os.path.join(os.getenv("COQBIN", ""), "coqdoc")
-    fd, filename = mkstemp(prefix="coqdoc-", suffix=".v")
+    fd, filename = mkstemp(prefix="coqdoc_", suffix=".v")
     if platform.system().startswith("CYGWIN"):
         # coqdoc currently doesn't accept cygwin style paths in the form "/cygdrive/c/..."
         filename = check_output(["cygpath", "-w", filename]).decode("utf-8").strip()
diff --git a/tools/coqdoc/dune b/tools/coqdoc/dune
index 9c0a6ccffe..e3c792f277 100644
--- a/tools/coqdoc/dune
+++ b/tools/coqdoc/dune
@@ -9,6 +9,6 @@
  (name main)
  (public_name coqdoc)
  (package coq)
- (libraries str coq.config))
+ (libraries str coq.config coq.clib))
 
 (ocamllex cpretty)
diff --git a/tools/coqdoc/main.ml b/tools/coqdoc/main.ml
index 1be247366d..6ebf9b71d6 100644
--- a/tools/coqdoc/main.ml
+++ b/tools/coqdoc/main.ml
@@ -127,6 +127,9 @@ let rec name_of_path p name dirname suffix =
 let coq_module filename =
   let bfname = Filename.chop_extension filename in
   let dirname, fname = normalize_filename bfname in
+  let _ = match Unicode.ident_refutation fname with
+    | Some err -> eprintf "\ncoqdoc: not a valid filename %s.v\n" fname; exit 1
+    | None -> () in
   let rec change_prefix = function
     (* Follow coqc: if in scope of -R, substitute logical name *)
     (* otherwise, keep only base name *)