| author | Mark Lodato <lodatom@gmail.com> | 2010-08-28 01:02:27 (UTC) |
|---|---|---|
| committer | Lars Hjemli <hjemli@gmail.com> | 2010-08-29 15:27:40 (UTC) |
| commit | 48434780ca62fde84337ea1e797f642de5ca50d5 (patch) (side-by-side diff) | |
| tree | ad6a67137124a5ae70de10dd29e84bd6bf21c6ea | |
| parent | c94414a4c8cd099f5737e8b4066693d07ce78f61 (diff) | |
| download | cgit-48434780ca62fde84337ea1e797f642de5ca50d5.zip cgit-48434780ca62fde84337ea1e797f642de5ca50d5.tar.gz cgit-48434780ca62fde84337ea1e797f642de5ca50d5.tar.bz2 | |
html: fix strcpy bug in convert_query_hexchar
The source and destination strings in strcpy() may not overlap.
Instead, use memmove(), which allows overlap. This fixes test t0104,
where 'url=foo%2bbar/tree' was being parsed improperly.
Signed-off-by: Mark Lodato <lodatom@gmail.com>
| -rw-r--r-- | html.c | 9 |
1 files changed, 5 insertions, 4 deletions
@@ -147,145 +147,146 @@ void html_url_path(char *txt) } void html_url_arg(char *txt) { char *t = txt; while(t && *t){ int c = *t; if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') { write(htmlfd, txt, t - txt); write(htmlfd, fmt("%%%2x", c), 3); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_hidden(char *name, char *value) { html("<input type='hidden' name='"); html_attr(name); html("' value='"); html_attr(value); html("'/>"); } void html_option(char *value, char *text, char *selected_value) { html("<option value='"); html_attr(value); html("'"); if (selected_value && !strcmp(selected_value, value)) html(" selected='selected'"); html(">"); html_txt(text); html("</option>\n"); } void html_link_open(char *url, char *title, char *class) { html("<a href='"); html_attr(url); if (title) { html("' title='"); html_attr(title); } if (class) { html("' class='"); html_attr(class); } html("'>"); } void html_link_close(void) { html("</a>"); } void html_fileperm(unsigned short mode) { htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); } int html_include(const char *filename) { FILE *f; char buf[4096]; size_t len; if (!(f = fopen(filename, "r"))) { fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n", filename, strerror(errno), errno); return -1; } while((len = fread(buf, 1, 4096, f)) > 0) write(htmlfd, buf, len); fclose(f); return 0; } int hextoint(char c) { if (c >= 'a' && c <= 'f') return 10 + c - 'a'; else if (c >= 'A' && c <= 'F') return 10 + c - 'A'; else if (c >= '0' && c <= '9') return c - '0'; else return -1; } char *convert_query_hexchar(char *txt) { - int d1, d2; - if (strlen(txt) < 3) { + int d1, d2, n; + n = strlen(txt); + if (n < 3) { *txt = '\0'; return txt-1; } d1 = hextoint(*(txt+1)); d2 = hextoint(*(txt+2)); if (d1<0 || d2<0) { - strcpy(txt, txt+3); + memmove(txt, txt+3, n-3); return txt-1; } else { *txt = d1 * 16 + d2; - strcpy(txt+1, txt+3); + memmove(txt+1, txt+3, n-2); return txt; } } int http_parse_querystring(char *txt, void (*fn)(const char *name, const char *value)) { char *t, *value = NULL, c; if (!txt) return 0; t = txt = strdup(txt); if (t == NULL) { printf("Out of memory\n"); exit(1); } while((c=*t) != '\0') { if (c=='=') { *t = '\0'; value = t+1; } else if (c=='+') { *t = ' '; } else if (c=='%') { t = convert_query_hexchar(t); } else if (c=='&') { *t = '\0'; (*fn)(txt, value); txt = t+1; value = NULL; } t++; } if (t!=txt) (*fn)(txt, value); return 0; } |