diff --git a/webtools/bonsai/CGI.pl b/webtools/bonsai/CGI.pl
index ffd8bb9e92d4..7aad2abf2ae3 100644
--- a/webtools/bonsai/CGI.pl
+++ b/webtools/bonsai/CGI.pl
@@ -43,7 +43,7 @@ sub url_decode {
 # Quotify a string, suitable for putting into a URL.
 sub url_quote {
     my($toencode) = (@_);
-    $toencode=~s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg;
+    $toencode =~ s/([^a-zA-Z0-9_\-\/.])/uc sprintf("%%%02x",ord($1))/eg;
     return $toencode;
 }
 
diff --git a/webtools/bonsai/Makefile.in b/webtools/bonsai/Makefile.in
index 03de1b262435..b437558fb01c 100644
--- a/webtools/bonsai/Makefile.in
+++ b/webtools/bonsai/Makefile.in
@@ -55,9 +55,7 @@ FILES = CGI.pl			\
 	cvsblame.pl		\
 	cvsguess.cgi		\
 	cvsgraph.cgi		\
-	cvsindex.pl		\
 	cvslog.cgi		\
-	cvsmenu.pl		\
 	cvsquery.cgi		\
 	cvsquery.pl		\
 	cvsqueryform.cgi	\
@@ -79,25 +77,18 @@ FILES = CGI.pl			\
 	globals.pl		\
 	handleAdminMail.pl	\
 	handleCheckinMail.pl	\
-	header.pl		\
 	index.html		\
-	indextest.pl		\
-	lloydcgi.pl		\
 	maketables.sh		\
 	moduleanalyse.cgi	\
 	modules.pl		\
 	multidiff.cgi		\
 	openmessage		\
-	processqueue.pl		\
 	rebuildcvshistory.cgi	\
 	repophook.cgi		\
-	reposfiles.pl		\
 	rview.cgi		\
 	showcheckins.cgi	\
 	switchtree.cgi		\
-	testlock.pl		\
 	toplevel.cgi		\
-	utils.pl		\
 	viewold.cgi
 
 all: trapdoor treeconfig.pl params
diff --git a/webtools/bonsai/README b/webtools/bonsai/README
index 7f359412c7db..bcb04a96ffc0 100644
--- a/webtools/bonsai/README
+++ b/webtools/bonsai/README
@@ -79,7 +79,9 @@ Makefile.in:		"make install" lets you specify where you store
 SourceChecker.cgi	scc wrote to help sanitize code.  DELETE
 			Called by: nobody
 
-SourceChecker.pm	Callled by: SourceChecker.cgi
+SourceChecker.pm	Called by: 
+				SourceChecker.cgi
+				cvsblame.cgi when passed sanitize=<dictionary>
 
 addcheckin.pl		Perl. Add a checkin to a Bonsai hook. Determines
 			if the tree was open or closed at the time, shunts
@@ -142,7 +144,7 @@ bonsai.gif		a bonsai tree.
 closemessage	 	HTML, text that gets sent to all people on the hook
 			when the tree is closed.	
 
-configure		Configure script (generated from configure.in?)
+configure		Configure script (generated from configure.in)
 
 configure.in		Configure.in script
 
@@ -154,6 +156,12 @@ countcheckins.cgi	Perl.  Draws a graph of checkins for the various
 			Calls: nobody
 
 createlegaldirs.pl	Use this to create the 'legaldirs' file for a module.
+			Called by (via globals.pl LoadDirList):
+				addcheckin.pl
+				moduleanalyse.cgi
+				rebuildcvshistory.cgi
+				repophook.cgi
+				rview.cgi
 
 cvsblame.cgi		Runs through a CVS file and tells you who changed what.
 			Calls:
@@ -172,7 +180,7 @@ cvsblame.cgi		Runs through a CVS file and tells you who changed what.
 				cvsview2.cgi
 				moduleanalyse.cgi
 
-cvsblame.pl			Runs through a CVS file and tells you who changed what.
+cvsblame.pl		Runs through a CVS file and tells you who changed what.
 			Called by:
 				cvsblame.cgi
 				cvslog.cgi
@@ -192,7 +200,7 @@ cvsguess.cgi		Given a file name, try to figure out what directory
 				cvsblame.cgi file= rev= mark= #
 			Called by: *tinderbox
 
-cvsindex.pl		???
+cvsindex.pl		???  			DELETE
 
 cvslog.cgi		Web interface to "cvs log".
 			Calls:
@@ -217,7 +225,7 @@ cvslog.cgi		Web interface to "cvs log".
 				cvsblame.cgi
 				cvslog.cgi
 
-cvsmenu.pl		???
+cvsmenu.pl		???				DELETE
 
 cvsquery.cgi		Displays the results of a query entered in cvsqueryform
 			Called by: 
@@ -235,11 +243,7 @@ cvsquery.cgi		Displays the results of a query entered in cvsqueryform
 				../registry/who.cgi email=
 				http://scopus.mcom.com/bugsplat/show_bug.cgi
 
-cvsquery.gi		???
-			Calls:
-				cvsquery.pl
-
-cvsquery.pl		???
+cvsquery.pl		Actual query functions used by cvsquery.cgi
 			Called by: 
 				cvsquery.cgi
 
@@ -267,7 +271,7 @@ cvsqueryform.cgi	Main screen to let you query the CVS database.
 					maxdate=
 					cvsroot=
 
-cvsregexp.html		???
+cvsregexp.html		Description of MySQL regular expression syntax
 
 cvsview2.cgi		Lets you view CVS diffs.
 			Called by:
@@ -361,7 +365,13 @@ editwhiteboard.cgi	Perl.  Edits the free-for-all whiteboard.
 			Calls:
 				doeditwhiteboard.cgi
 
-globals.pl		???
+get_line.pl		Provides line parsing function, get_line
+			Calls: nobody
+			Called by:
+				cvsquery.pl
+				modules.pl
+
+globals.pl		Common functions used by various scripts.
 
 handleAdminMail.pl 	Perl. Mail is piped to this script and parsed.  
 			Calls:
@@ -370,27 +380,20 @@ handleAdminMail.pl 	Perl. Mail is piped to this script and parsed.
 handleCheckinMail.pl	Perl. Mail is piped to this script and parsed. It
 			then adds a checkin to a Bonsai hook.
 
-header.pl		???
+header.pl		???				DELETE
 
 index.html		loads cvsqueryform.cgi
 
-indextest.pl		???
+indextest.pl		???				DELETE
 
 lloydcgi.pl		parses CGI args from $QUERY_STRING and leaves them
 			in $form{$key}; and puts cookies in %cookie_jar.
 			Calls: nobody
-			Called by: everybody
+			Called by: whohastouchedwhat.cgi
 
-localprofile.cgi	Perl.  Display peoples contact info.  Left-over code
-			from before we started getting this info from LDAP.
+maketables.sh		Creates sql database & tables used by bonsai.
 			Called by:
 				nobody
-			Calls:
-				editprofile.cgi
-				profile.cgi
-
-maketables.sh		???
-			Unused?
 
 moduleanalyse.cgi	Shows the directories in a module.
 			Called by:
@@ -400,11 +403,10 @@ moduleanalyse.cgi	Shows the directories in a module.
 				rview.cgi dir= cvsroot=
 				cvsblame.cgi file= root=
 
-modules.pl		???
+modules.pl		Populates $::modules{} with list of CVS modules 
+			from $cvsroot/CVSROOT/modules.			
 			Called by:
-				branchspam.cgi
 				cvsqueryform.cgi
-				moduleanalyse.cgi
 
 multidiff.cgi		Implements the "Show me ALL the Diffs" button
 			Called by:
@@ -414,21 +416,10 @@ multidiff.cgi		Implements the "Show me ALL the Diffs" button
 			Calls:
 				nobody
 
-myglobrecur.pl		???
+openmessage	 	Mail template that gets sent to people when they first
+			check into the tree
 
-openmessage		???
-
-perlifyconfig.pl	???
-
-processqueue.pl		???
-
-profile.cgi		Perl.  Stupid interface to LDAP to show all the info
-			about a person.
-			Called by:
-				localprofile.cgi
-				show2.cgi
-			Calls:
-				profile.cgi person=
+processqueue.pl		Pipes data/queue files to dolog.pl.	DELETE
 
 rebuildcvshistory.cgi	Perl.  Admin script to go rebuild the bonsai database 
 			from CVS.
@@ -437,15 +428,14 @@ rebuildcvshistory.cgi	Perl.  Admin script to go rebuild the bonsai database
 			Calls:
 				nobody
 
-rebuilddatabase.pl	???
-
 repophook.cgi		Perl.  Rebuilds a bonsai hook from the bonsai database.
 			Called by:
 				admin.cgi
 			Calls:
 				nobody
 
-reposfiles.pl		???
+reposfiles.pl		Generates a list of all files in the repository.
+			DELETE
 
 rview.cgi		Lets you browse a directory in a CVS repository.
 			Called by:
@@ -476,15 +466,13 @@ showcheckins.cgi	Perl.  Shows some set of checkins in a bonsai hook.
 					command=DIRECTORY
 				multidiff.cgi allchanges=
 
-status/			???
-
 switchtree.cgi		Perl.  Lets you choose a different bonsai branch.
 			Called by:
 				toplevel.cgi
 			Calls:
 				nobody
 
-testlock.pl		???
+testlock.pl		Tests the Un/Lock functionality of utils.pl. DELETE
 
 toplevel.cgi		Perl.  Main interface to the bonsai hook.
 			Called by:
@@ -511,9 +499,10 @@ toplevel.cgi		Perl.  Main interface to the bonsai hook.
 				contacthelp.html
 				http://warp/client/dogbert/buildlore/index.html
 
-trapdoor.c		???
+trapdoor.c		Runs crypt on passwd
 
-utils.pl		???
+utils.pl		Ancient globals.pl. 			DELETE
+			Called by: testlock.pl  whohastouchedwhat.cgi
 
 viewold.cgi		Perl.  Lets you choose an old bonsai hook to view.
 			Called by:
diff --git a/webtools/bonsai/addcheckin.pl b/webtools/bonsai/addcheckin.pl
index e587c059ddad..0780303be007 100755
--- a/webtools/bonsai/addcheckin.pl
+++ b/webtools/bonsai/addcheckin.pl
@@ -24,6 +24,8 @@ require 'globals.pl';
 
 use vars qw($BatchID @TreeList @LegalDirs);
 
+use File::Path;
+
 if (@::CheckInList) {
      die '@::CheckInList is valid ?!?';
 }
@@ -85,8 +87,7 @@ LINE:
                     
                     Lock();
                     unless (-d "data/taginfo/$mungedname") {
-                         system("mkdir", "-p", "data/taginfo/$mungedname");
-                         system("chmod", "-R", "777", "data/taginfo/$mungedname");
+                        mkpath(["data/taginfo/$mungedname"], 1, 0777);
                     }
                     if (open(TAGFILE, ">> $filename")) {
                          print TAGFILE "$tagtime|" . join('|', @data) .  "\n";
@@ -119,8 +120,7 @@ LINE:
           $mungedname =~ s!^_!!;
           $filename = "data/checkinlog/$mungedname";
           unless (-d "data/checkinlog") {
-               system("mkdir", "-p", "data/checkinlog");
-               system("chmod", "-R", "777", "data/checkinlog");
+              mkpath(["data/checkinlog"], 1, 0777);
           }
           if (open(TID, ">> $filename")) {
                print TID "${appendjunk}LOGCOMMENT\n$plainlog:ENDLOGCOMMENT\n";
diff --git a/webtools/bonsai/cvsblame.cgi b/webtools/bonsai/cvsblame.cgi
index ecc852b50511..b1c391447b0a 100755
--- a/webtools/bonsai/cvsblame.cgi
+++ b/webtools/bonsai/cvsblame.cgi
@@ -54,7 +54,6 @@ sub sillyness {
 
 require 'CGI.pl';
 require 'cvsblame.pl';
-require 'lloydcgi.pl';
 use SourceChecker;
 
 # Cope with the cookie and print the header, first thing.  That way, if
@@ -101,8 +100,9 @@ if ($filename eq '')
     print "\nFiles in the CVSROOT dir cannot be viewed.\n";
     exit;
 }
-
 my ($file_head, $file_tail) = $filename =~ m@(.*/)?(.+)@;
+my $url_filename = url_quote($filename);
+my $url_file_tail = url_quote($file_tail);
 
 # Handle the "rev" argument
 #
@@ -253,11 +253,11 @@ print "<A HREF='$lxr_path'>$file_tail</a> ";
 my $graph_cell = Param('cvsgraph') ? <<"--endquote--" : "";
        </TR><TR>
         <TD NOWRAP>
-         <A HREF="cvsgraph.cgi?file=$filename">Revision Graph</A>
+         <A HREF="cvsgraph.cgi?file=$url_filename">Revision Graph</A>
         </TD>
 --endquote--
 
-print " (<A HREF='cvsblame.cgi?file=$filename&rev=$revision&root=$root'";
+print " (<A HREF='cvsblame.cgi?file=$url_filename&rev=$revision&root=$root'";
 print " onmouseover='return log(event,\"$::prev_revision{$revision}\",\"$revision\");'" if $::use_layers;
 print " onmouseover=\"showMessage('$revision','top')\" id=\"line_top\"" if $::use_dom;
 print ">";
@@ -279,7 +279,7 @@ print qq(
         </TD>
        </TR><TR>
         <TD NOWRAP>
-         <A HREF="cvslog.cgi?file=$filename$revstr">Full Change Log</A>
+         <A HREF="cvslog.cgi?file=$url_filename$revstr">Full Change Log</A>
         </TD>
 $graph_cell
        </TR>
@@ -370,9 +370,9 @@ foreach $revision (@::revision_map)
         $revision_width = max($revision_width,length($revision));
 
 	if ($::prev_revision{$revision}) {
-	  $output .= "<A HREF=\"cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=$root&subdir=$rcs_path&command=DIFF_FRAMESET&file=$file_tail&rev2=$revision&rev1=$::prev_revision{$revision}\"";
+	  $output .= "<A HREF=\"cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=$root&subdir=$rcs_path&command=DIFF_FRAMESET&file=$url_file_tail&rev2=$revision&rev1=$::prev_revision{$revision}\"";
 	} else {
-	  $output .= "<A HREF=\"cvsblame.cgi?file=$filename&rev=$revision&root=$root\"";
+	  $output .= "<A HREF=\"cvsblame.cgi?file=$url_filename&rev=$revision&root=$root\"";
 	}
 	$output .= " onmouseover='return log(event,\"$::prev_revision{$revision}\",\"$revision\");'" if $::use_layers;
         $output .= " onmouseover=\"showMessage('$revision','$line')\" id=\"line_$line\"" if $::use_dom;
@@ -806,7 +806,7 @@ sub leave_html_comments {
 
     # Now fix the breakage of <username> stuff on xfe. -byrd
     if ($text =~ /(.*)<(.*@.*)>(.*\n)/) {
-        $text = $1 . "<A HREF=mailto:$2?subject=$filename>$2</A>" . $3;
+        $text = $1 . "<A HREF=mailto:$2?subject=$url_filename>$2</A>" . $3;
     }
 
     return $text;
diff --git a/webtools/bonsai/cvsblame.pl b/webtools/bonsai/cvsblame.pl
index e22468547fd2..3cb9faf48adf 100755
--- a/webtools/bonsai/cvsblame.pl
+++ b/webtools/bonsai/cvsblame.pl
@@ -409,7 +409,7 @@ sub parse_rcs_deltatext {
 sub parse_rcs_file {
     my $path = shift;
     if (defined $path) {
-    	open (RCSFILE, "< $path");
+    	open (RCSFILE, $path);
     }	
     print "Reading RCS admin...\n" if ($debug >= 2);
     &parse_rcs_admin();
@@ -545,13 +545,13 @@ sub parse_cvs_file {
     @::revision_map = ();
     CheckHidden($rcs_pathname);
 
-    if (!open(RCSFILE, "< $rcs_pathname")) {
+    if (!open(RCSFILE, $rcs_pathname)) {
         my ($name, $path, $suffix) = fileparse($rcs_pathname);
         my $deleted_pathname = "${path}Attic/$name$suffix";
         die "$::progname: error: This file appeared to be under CVS control, " .
             "but the RCS file is inaccessible.\n" .
             "(Couldn't open '$rcs_pathname' or '$deleted_pathname').\n"
-          if !open(RCSFILE, "< $deleted_pathname");
+          if !open(RCSFILE, $deleted_pathname);
     }
     &parse_rcs_file();
     close(RCSFILE);
@@ -727,7 +727,7 @@ sub read_cvs_entries
 
     return if (! -d $cvsdir);
 
-    return if !open(ENTRIES, "< $cvsdir/Entries");
+    return if !open(ENTRIES, "$cvsdir/Entries");
     
     while(<ENTRIES>) {
         chop;
@@ -740,7 +740,7 @@ sub read_cvs_entries
     }
     close(ENTRIES);
 
-    return if !open(REPOSITORY, "< $cvsdir/Repository");
+    return if !open(REPOSITORY, "$cvsdir/Repository");
     $repository = <REPOSITORY>;
     chop($repository);
     close(REPOSITORY);
diff --git a/webtools/bonsai/cvsgraph.cgi b/webtools/bonsai/cvsgraph.cgi
index 5c24ba145b75..3de2d2c27597 100755
--- a/webtools/bonsai/cvsgraph.cgi
+++ b/webtools/bonsai/cvsgraph.cgi
@@ -72,6 +72,7 @@ if ($filename eq '') {
 }
 
 my ($file_head, $file_tail) = $filename =~ m@(.*/)?(.+)@;
+my $url_filename = url_quote($filename);
 
 # Handle the "root" argument
 #
@@ -177,7 +178,7 @@ function hideMessage() { return false }
 system(@cvsgraph_cmd, $rcs_filename);
 
 if (!defined $::FORM{'image'}) {
-    print qq{<img src="cvsgraph.cgi?file=$::FORM{'file'}&image=1" };
+    print qq{<img src="cvsgraph.cgi?file=$url_filename&image=1" };
     print qq{usemap="#revmap" alt="$filename" border="0" onclick="hideMessage()">\n};
     if ($::use_dom) {
 	require 'cvsblame.pl';
diff --git a/webtools/bonsai/cvslog.cgi b/webtools/bonsai/cvslog.cgi
index 4990ad41e445..c0a00f6ebd9f 100755
--- a/webtools/bonsai/cvslog.cgi
+++ b/webtools/bonsai/cvslog.cgi
@@ -48,7 +48,6 @@ sub sillyness {
 
 require 'CGI.pl';
 require 'cvsblame.pl';
-use SourceChecker;
 
 # Some Globals
 #
@@ -68,7 +67,8 @@ if ($filename eq '')
     exit;
 }
 my ($file_head, $file_tail) = $filename =~ m@(.*/)?(.+)@;
-
+my $url_filename = url_quote($filename);
+my $url_file_tail = url_quote($file_tail);
 
 # Handle the "rev" argument
 #
@@ -199,7 +199,7 @@ print "<A HREF='$lxr_path'>$file_tail</a> ";
 my $graph_cell = Param('cvsgraph') ? <<"--endquote--" : "";
        </TR><TR>
         <TD>
-         <A HREF="cvsgraph.cgi?file=$filename">graph</A>&nbsp;
+         <A HREF="cvsgraph.cgi?file=$url_filename">graph</A>&nbsp;
         </TD><TD NOWRAP>
          View the revision history as a graph
         </TD>
@@ -227,13 +227,13 @@ print qq(
         </TD>
        </TR><TR>
         <TD>
-         <A HREF="cvsview2.cgi?command=DIRECTORY&subdir=$rcs_path&files=$file_tail&branch=$::opt_rev">diff</A>
+         <A HREF="cvsview2.cgi?command=DIRECTORY&subdir=$rcs_path&files=$url_file_tail&branch=$::opt_rev">diff</A>
         </TD><TD NOWRAP>
          Compare any two version.
         </TD>
        </TR><TR>
         <TD>
-         <A HREF="cvsblame.cgi?file=$filename&rev=$::opt_rev&cvsroot=$root">blame</A>&nbsp;
+         <A HREF="cvsblame.cgi?file=$url_filename&rev=$::opt_rev&cvsroot=$root">blame</A>&nbsp;
         </TD><TD NOWRAP>
          Annotate the author of each line.
         </TD>
@@ -255,9 +255,9 @@ $graph_cell
 my $table_tag = "<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=3 WIDTH='100%'>";
 my $table_header_tag = "";
 if ($opt_sort eq 'author') {
-    $table_header_tag .= "<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$filename&root=$root&rev=$browse_revtag&sort=revision&author=$author_arg'>Rev</A><TH ALIGN=LEFT>Author<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$filename&root=$root&rev=$browse_revtag&sort=date&author=$author_arg'>Date</A><TH><TH ALIGN=LEFT>Log";
+    $table_header_tag .= "<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$url_filename&root=$root&rev=$browse_revtag&sort=revision&author=$author_arg'>Rev</A><TH ALIGN=LEFT>Author<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$url_filename&root=$root&rev=$browse_revtag&sort=date&author=$author_arg'>Date</A><TH><TH ALIGN=LEFT>Log";
 } else {
-    $table_header_tag .= "<TH ALIGN=LEFT>Rev<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$filename&root=$root&rev=$browse_revtag&sort=author&author=$author_arg'>Author</A><TH ALIGN=LEFT>Date<TH><TH ALIGN=LEFT>Log";
+    $table_header_tag .= "<TH ALIGN=LEFT>Rev<TH ALIGN=LEFT><A HREF='cvslog.cgi?file=$url_filename&root=$root&rev=$browse_revtag&sort=author&author=$author_arg'>Author</A><TH ALIGN=LEFT>Date<TH><TH ALIGN=LEFT>Log";
 }
 
 $table_header_tag = &url_encode3($table_header_tag);
@@ -307,11 +307,11 @@ foreach $revision (@revisions)
     my $anchor = "<A HREF=cvsview2.cgi";
 
     if (defined($::prev_revision{$revision})) {
-        $anchor .= "?diff_mode=context&whitespace_mode=show&file=$file_tail&branch=$::opt_rev"
+        $anchor .= "?diff_mode=context&whitespace_mode=show&file=$url_file_tail&branch=$::opt_rev"
             ."&root=$root&subdir=$rcs_path&command=DIFF_FRAMESET"
             ."&rev1=$::prev_revision{$revision}&rev2=$revision";
     } else {
-        $anchor .= "?files=$file_tail"
+        $anchor .= "?files=$url_file_tail"
             ."&root=$root&subdir=$rcs_path\&command=DIRECTORY\&rev2=$revision&branch=$::opt_rev";
         $anchor .= "&branch=$browse_revtag" unless $browse_revtag eq 'HEAD';
     }
diff --git a/webtools/bonsai/cvsquery.cgi b/webtools/bonsai/cvsquery.cgi
index 4f418d233a2e..31efd41a30c7 100755
--- a/webtools/bonsai/cvsquery.cgi
+++ b/webtools/bonsai/cvsquery.cgi
@@ -397,8 +397,8 @@ sub print_ci {
     print "<TD width=2%><a href='$registryurl/who.cgi?email=$url_who'"
           . " onClick=\"return js_who_menu('$url_who','',event);\" >"
           . "$ci->[$::CI_WHO]</a>\n";
-    print "<TD width=45%><a href='cvsview2.cgi?subdir=$ci->[$::CI_DIR]&files=$ci->[$::CI_FILE]\&command=DIRECTORY&branch=$::query_branch&root=$::CVS_ROOT'\n"
-          . " onclick=\"return js_file_menu('$::CVS_ROOT', '$ci->[$::CI_DIR]','$ci->[$::CI_FILE]','$ci->[$::CI_REV]','$::query_branch',event)\">\n";
+    print "<TD width=45%><a href='cvsview2.cgi?subdir=$ci->[$::CI_DIR]&files=" . url_quote($ci->[$::CI_FILE]) . "\&command=DIRECTORY&branch=$::query_branch&root=$::CVS_ROOT'\n"
+          . " onclick=\"return js_file_menu('$::CVS_ROOT', '$ci->[$::CI_DIR]','" . url_quote($ci->[$::CI_FILE]) . "','$ci->[$::CI_REV]','$::query_branch',event)\">\n";
 #     if( (length $ci->[$::CI_FILE]) + (length $ci->[$::CI_DIR])  > 30 ){
 #         $d = $ci->[$::CI_DIR];
 #         if( (length $ci->[$::CI_DIR]) > 30 ){
@@ -424,7 +424,7 @@ sub print_ci {
         print "<TD width=2%>${sm_font_tag}<a href='cvsview2.cgi?diff_mode=".
               "context\&whitespace_mode=show\&subdir=".
               $ci->[$::CI_DIR] . "\&command=DIFF_FRAMESET\&file=" .
-              $ci->[$::CI_FILE] . "\&rev1=$prevrev&rev2=$rev&root=$::CVS_ROOT'>$rev</a></font>\n";
+              url_quote($ci->[$::CI_FILE]) . "\&rev1=$prevrev&rev2=$rev&root=$::CVS_ROOT'>$rev</a></font>\n";
     }
     else {
         print "<TD width=2%>\&nbsp;\n";
diff --git a/webtools/bonsai/cvsview2.cgi b/webtools/bonsai/cvsview2.cgi
index c46b244b49bf..df1f88ecbf96 100755
--- a/webtools/bonsai/cvsview2.cgi
+++ b/webtools/bonsai/cvsview2.cgi
@@ -135,6 +135,7 @@ my $opt_rev               = $request->param('diff_mode');
 my $opt_subdir            = $request->param('subdir');
 my $opt_branch            = $request->param('branch');
 my $opt_command           = $request->param('command');
+my $url_file              = url_quote($opt_file);
 
 if (defined($opt_branch) && $opt_branch eq 'HEAD' ) { $opt_branch = ''; }
 
@@ -218,14 +219,14 @@ sub do_diff_frameset {
     print "<TITLE>$opt_file: $opt_rev1 vs. $opt_rev2</TITLE>\n";
     print "<FRAMESET ROWS='*,90' FRAMESPACING=0 BORDER=1>\n";
 
-    print "  <FRAME NAME=diff+$opt_file+$opt_rev1+$opt_rev2 ",
+    print "  <FRAME NAME=diff+$url_file+$opt_rev1+$opt_rev2 ",
           "         SRC=\"$magic_url&command=DIFF";
     print "&root=$opt_root" if defined($opt_root);
-    print "&file=$opt_file&rev1=$opt_rev1&rev2=$opt_rev2\">\n";
+    print "&file=$url_file&rev1=$opt_rev1&rev2=$opt_rev2\">\n";
 
     print "  <FRAME SRC=\"$magic_url&command=DIFF_LINKS";
     print "&root=$opt_root" if defined($opt_root);
-    print "&file=$opt_file&rev1=$opt_rev1&rev2=$opt_rev2\">\n";
+    print "&file=$url_file&rev1=$opt_rev1&rev2=$opt_rev2\">\n";
     print "</FRAMESET>\n";
 }
 
@@ -255,7 +256,7 @@ sub do_diff_links {
 
     chdir($dir);
 
-    open(RCSDIFF, "$rcsdiff -r$opt_rev1 -r$opt_rev2 $opt_file 2>/dev/null |");
+    open(RCSDIFF, "$rcsdiff -r$opt_rev1 -r$opt_rev2 " . shell_escape($opt_file) . " 2>/dev/null |");
 
     print '<FORM><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TR VALIGN=TOP>';
 
@@ -269,12 +270,12 @@ sub do_diff_links {
 # In this case, make the default behavior be that blame revisions match the requested
 # diff version, rather than always showing the tip.
 
-    my $blame_link = "$blame_base?file=$opt_subdir/$opt_file&rev=$opt_rev2";
+    my $blame_link = "$blame_base?file=$opt_subdir/$url_file&rev=$opt_rev2";
     $blame_link .= "&root=$opt_root" if defined($opt_root);
-    my $diff_link = "$magic_url&command=DIRECTORY&file=$opt_file&rev1=$opt_rev1&rev2=$opt_rev2";
+    my $diff_link = "$magic_url&command=DIRECTORY&file=$url_file&rev1=$opt_rev1&rev2=$opt_rev2";
     $diff_link .= "&root=$opt_root" if defined($opt_root);
     my $graph_row = Param('cvsgraph') ? <<"--endquote--" : "";
-<TR><TD NOWRAP ALIGN=RIGHT VALIGN=TOP><A HREF="cvsgraph.cgi?file=$opt_subdir/$opt_file" TARGET="_top"><B>graph:</B></A></TD>
+<TR><TD NOWRAP ALIGN=RIGHT VALIGN=TOP><A HREF="cvsgraph.cgi?file=$opt_subdir/$url_file" TARGET="_top"><B>graph:</B></A></TD>
 <TD NOWRAP>View the revision tree as a graph</TD></TR>
 --endquote--
 
@@ -318,10 +319,10 @@ sub do_diff_links {
         }
 
         print '&nbsp' x (4 - length($line));
-        print "<A TARGET='diff+$opt_file+$opt_rev1+$opt_rev2'",
+        print "<A TARGET='diff+$url_file+$opt_rev1+$opt_rev2'",
               "       HREF=\"$magic_url&command=DIFF";
         print "&root=$opt_root" if defined($opt_root);
-        print "&file=$opt_file&rev1=$opt_rev1&rev2=$opt_rev2#$anchor_num\"",
+        print "&file=$url_file&rev1=$opt_rev1&rev2=$opt_rev2#$anchor_num\"",
               "       ONCLICK='anchor = $anchor_num'>$line</A> ";
         $anchor_num++;
     }
@@ -461,6 +462,7 @@ sub do_directory {
 
     foreach my $file (split(/\+/, $opt_files)) {
         my ($path) = "$dir/$file,v";
+        my ($ufile) = url_quote($file);
 
         CheckHidden($path);
         $path = "$dir/Attic/$file,v" if (! -r $path);
@@ -471,7 +473,7 @@ sub do_directory {
 
         print "<TR><TD NOWRAP><B>";
         print "<A HREF=\"$lxr_link\">$file</A><BR>";
-        print "<A HREF=\"cvslog.cgi?file=$opt_subdir/$file";
+        print "<A HREF=\"cvslog.cgi?file=$opt_subdir/$ufile";
         print "&rev=$opt_branch" if $opt_branch;
         print "&root=$opt_root" if defined($opt_root);
         print "\">Change Log</A></B></TD>\n";
@@ -496,7 +498,7 @@ sub do_directory {
                 print '<TD VALIGN=TOP>';
                 print "<A HREF=\"$magic_url&command=DIRECTORY";
                 print "&root=$opt_root" if defined($opt_root);
-                print "&files=$opt_files&branch=$opt_branch&skip=", $opt_skip + $MAX_REVS, "\"><i>Prior revisions</i></A>", "</TD>\n";
+                print "&files=" . url_quote($opt_files) . "&branch=$opt_branch&skip=", $opt_skip + $MAX_REVS, "\"><i>Prior revisions</i></A>", "</TD>\n";
                 last;
             }
 
@@ -505,7 +507,7 @@ sub do_directory {
             if ( $prev && $rev ) {
                 $href_open = "<A HREF=\"$magic_url&command=DIFF_FRAMESET";
                 $href_open .= "&root=$opt_root" if defined($opt_root);
-                $href_open .= "&file=$file&rev1=$prev&rev2=$rev\">";
+                $href_open .= "&file=$ufile&rev1=$prev&rev2=$rev\">";
                 $href_close = "</A>";
             }
             print "<TD>$href_open$rev$href_close<BR>";
@@ -523,7 +525,7 @@ sub do_directory {
             last if !$revs_remaining--;
             print "<TD><A HREF=\"$magic_url&command=LOG";
             print "root=$opt_root" if defined($opt_root);
-            print "&file=$file&rev=$rev\">$::revision_author{$rev}</A>",
+            print "&file=$ufile&rev=$rev\">$::revision_author{$rev}</A>",
             "</TD>\n";
         }
         print "</TR>\n";}
@@ -593,8 +595,8 @@ sub html_diff {
     my ($old_line);
     my ($point, $mark); 
 
-    open(DIFF, "$rcsdiff -f -r$rev1 -r$rev2 $file 2>/dev/null |");
-    open(OLDREV, "$cocommand -p$rev1 $file 2>/dev/null |");
+    open(DIFF, "$rcsdiff -f -r$rev1 -r$rev2 " . shell_escape($file) . " 2>/dev/null |");
+    open(OLDREV, "$cocommand -p$rev1 " . shell_escape($file) . " 2>/dev/null |");
 
     $anchor_num = 0;
 
diff --git a/webtools/bonsai/globals.pl b/webtools/bonsai/globals.pl
index ccc7321af4f5..d9141319bb4e 100644
--- a/webtools/bonsai/globals.pl
+++ b/webtools/bonsai/globals.pl
@@ -26,6 +26,7 @@ $::TreeID = "default";
 use diagnostics;
 use strict;
 use DBI;
+use File::Path;
 
 use Date::Format;               # For time2str().
 use Date::Parse;                # For str2time().
@@ -517,11 +518,10 @@ sub DataDir {
 
      # Make sure it exists...
      unless (-d $dir) {
-          system ("rm", "-rf", $dir);
-          system ("mkdir", "-p", $dir);
-          die "Couldn't create '$dir'\n"
-               unless (-d $dir);
-          chmod(0777, $dir);
+         rmtree([$dir], 1, 1);
+         mkpath([$dir], 0, 0777);
+         die "Couldn't create '$dir'\n"
+             unless (-d $dir);
      }
 
      return $dir;
diff --git a/webtools/bonsai/multidiff.cgi b/webtools/bonsai/multidiff.cgi
index 193fbebae27f..da4e0066f5d4 100755
--- a/webtools/bonsai/multidiff.cgi
+++ b/webtools/bonsai/multidiff.cgi
@@ -28,6 +28,7 @@
 use diagnostics;
 use strict;
 
+require 'CGI.pl';
 require 'globals.pl';
 
 $|=1;
@@ -83,7 +84,7 @@ for my $k (@revs) {
     if (IsHidden($fullname)) {
         next;
     }
-    open( DIFF, "$rcsdiffcommand -u -r$prevrev -r$rev $fullname 2>&1|" );
+    open( DIFF, "$rcsdiffcommand -u -r$prevrev -r$rev" . escape_shell($fullname) ." 2>&1|" );
     while(<DIFF>){
 		if (($_ =~ /RCS file/) || ($_ =~ /rcsdiff/)) { 
 			$_ =~ s/(^.*)(.*\/)(.*)/$1 $3/;