# $Id: display-sql.tcl,v 1.2 2004/09/27 14:21:09 brianm Exp $
# display-sql.tcl
#
# by philg on 12/19/98
# 
# enables user to see a .sql file without encountering the 
# AOLserver's db module magic (offering to load the SQL into a database) 
#
# patched by philg at Jeff Banks's request on 12/5/99
# to close the security hole whereby a client adds extra form
# vars
# 

set_form_variables

if { ![info exists package_key] } {
    set package_key ""
}

if {![info exists url] } {
    ns_return 200 text/plain "please specify the URL of a .sql file to view"
    return
}

# url (full relative path)

# this is normally a password-protected page, but to be safe let's
# check the incoming URL for ".." to make sure that someone isn't 
# doing 
# https://photo.net/doc/sql/display-sql.tcl?url=/../../../../etc/passwd
# for example

if { [string match "*..*" $url] || [string match "*..*" $package_key] } {
    ad_return_error "Can't back up beyond the pageroot" "You can't use display-sql.tcl to look at files underneath the pageroot."
    return
} 

if { [empty_string_p $package_key] } {
    ns_returnfile 200 text/plain "[ns_info pageroot]$url"
} else {
    ns_returnfile 200 text/plain "[acs_package_root_dir $package_key]$url"
}