| author | Jim Meyering <meyering@redhat.com> | 2011-02-28 11:18:57 (UTC) |
|---|---|---|
| committer | Lars Hjemli <hjemli@gmail.com> | 2011-03-05 12:38:34 (UTC) |
| commit | fc384b16fb9787380746000d3cea2d53fccc548e (patch) (unidiff) | |
| tree | d0a77d911c111e49904ab2f5061af22417f2b698 | |
| parent | 6bf2658f04089179aa373e47bd1d0718e808a59b (diff) | |
| download | cgit-fc384b16fb9787380746000d3cea2d53fccc548e.zip cgit-fc384b16fb9787380746000d3cea2d53fccc548e.tar.gz cgit-fc384b16fb9787380746000d3cea2d53fccc548e.tar.bz2 | |
do not infloop on a query ending in %XY, for invalid hex X or Y
When a query ends in say %gg, (or any invalid hex) e.g.,
http://git.gnome.org/browse/gdlmm/commit/?id=%gg
convert_query_hexchar calls memmove(txt, txt+3, 0), and then returns
txt-1, so the loop in http_parse_querystring never terminates. The
solution is to make the memmove also copy the trailing NUL.
* html.c (convert_query_hexchar): Fix off-by-one error.
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
| -rw-r--r-- | html.c | 2 |
1 files changed, 1 insertions, 1 deletions
| @@ -156,137 +156,137 @@ void html_url_arg(char *txt) | |||
| 156 | write(htmlfd, fmt("%%%2x", c), 3); | 156 | write(htmlfd, fmt("%%%2x", c), 3); |
| 157 | txt = t+1; | 157 | txt = t+1; |
| 158 | } | 158 | } |
| 159 | t++; | 159 | t++; |
| 160 | } | 160 | } |
| 161 | if (t!=txt) | 161 | if (t!=txt) |
| 162 | html(txt); | 162 | html(txt); |
| 163 | } | 163 | } |
| 164 | 164 | ||
| 165 | void html_hidden(char *name, char *value) | 165 | void html_hidden(char *name, char *value) |
| 166 | { | 166 | { |
| 167 | html("<input type='hidden' name='"); | 167 | html("<input type='hidden' name='"); |
| 168 | html_attr(name); | 168 | html_attr(name); |
| 169 | html("' value='"); | 169 | html("' value='"); |
| 170 | html_attr(value); | 170 | html_attr(value); |
| 171 | html("'/>"); | 171 | html("'/>"); |
| 172 | } | 172 | } |
| 173 | 173 | ||
| 174 | void html_option(char *value, char *text, char *selected_value) | 174 | void html_option(char *value, char *text, char *selected_value) |
| 175 | { | 175 | { |
| 176 | html("<option value='"); | 176 | html("<option value='"); |
| 177 | html_attr(value); | 177 | html_attr(value); |
| 178 | html("'"); | 178 | html("'"); |
| 179 | if (selected_value && !strcmp(selected_value, value)) | 179 | if (selected_value && !strcmp(selected_value, value)) |
| 180 | html(" selected='selected'"); | 180 | html(" selected='selected'"); |
| 181 | html(">"); | 181 | html(">"); |
| 182 | html_txt(text); | 182 | html_txt(text); |
| 183 | html("</option>\n"); | 183 | html("</option>\n"); |
| 184 | } | 184 | } |
| 185 | 185 | ||
| 186 | void html_link_open(char *url, char *title, char *class) | 186 | void html_link_open(char *url, char *title, char *class) |
| 187 | { | 187 | { |
| 188 | html("<a href='"); | 188 | html("<a href='"); |
| 189 | html_attr(url); | 189 | html_attr(url); |
| 190 | if (title) { | 190 | if (title) { |
| 191 | html("' title='"); | 191 | html("' title='"); |
| 192 | html_attr(title); | 192 | html_attr(title); |
| 193 | } | 193 | } |
| 194 | if (class) { | 194 | if (class) { |
| 195 | html("' class='"); | 195 | html("' class='"); |
| 196 | html_attr(class); | 196 | html_attr(class); |
| 197 | } | 197 | } |
| 198 | html("'>"); | 198 | html("'>"); |
| 199 | } | 199 | } |
| 200 | 200 | ||
| 201 | void html_link_close(void) | 201 | void html_link_close(void) |
| 202 | { | 202 | { |
| 203 | html("</a>"); | 203 | html("</a>"); |
| 204 | } | 204 | } |
| 205 | 205 | ||
| 206 | void html_fileperm(unsigned short mode) | 206 | void html_fileperm(unsigned short mode) |
| 207 | { | 207 | { |
| 208 | htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), | 208 | htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), |
| 209 | (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); | 209 | (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); |
| 210 | } | 210 | } |
| 211 | 211 | ||
| 212 | int html_include(const char *filename) | 212 | int html_include(const char *filename) |
| 213 | { | 213 | { |
| 214 | FILE *f; | 214 | FILE *f; |
| 215 | char buf[4096]; | 215 | char buf[4096]; |
| 216 | size_t len; | 216 | size_t len; |
| 217 | 217 | ||
| 218 | if (!(f = fopen(filename, "r"))) { | 218 | if (!(f = fopen(filename, "r"))) { |
| 219 | fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n", | 219 | fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n", |
| 220 | filename, strerror(errno), errno); | 220 | filename, strerror(errno), errno); |
| 221 | return -1; | 221 | return -1; |
| 222 | } | 222 | } |
| 223 | while((len = fread(buf, 1, 4096, f)) > 0) | 223 | while((len = fread(buf, 1, 4096, f)) > 0) |
| 224 | write(htmlfd, buf, len); | 224 | write(htmlfd, buf, len); |
| 225 | fclose(f); | 225 | fclose(f); |
| 226 | return 0; | 226 | return 0; |
| 227 | } | 227 | } |
| 228 | 228 | ||
| 229 | int hextoint(char c) | 229 | int hextoint(char c) |
| 230 | { | 230 | { |
| 231 | if (c >= 'a' && c <= 'f') | 231 | if (c >= 'a' && c <= 'f') |
| 232 | return 10 + c - 'a'; | 232 | return 10 + c - 'a'; |
| 233 | else if (c >= 'A' && c <= 'F') | 233 | else if (c >= 'A' && c <= 'F') |
| 234 | return 10 + c - 'A'; | 234 | return 10 + c - 'A'; |
| 235 | else if (c >= '0' && c <= '9') | 235 | else if (c >= '0' && c <= '9') |
| 236 | return c - '0'; | 236 | return c - '0'; |
| 237 | else | 237 | else |
| 238 | return -1; | 238 | return -1; |
| 239 | } | 239 | } |
| 240 | 240 | ||
| 241 | char *convert_query_hexchar(char *txt) | 241 | char *convert_query_hexchar(char *txt) |
| 242 | { | 242 | { |
| 243 | int d1, d2, n; | 243 | int d1, d2, n; |
| 244 | n = strlen(txt); | 244 | n = strlen(txt); |
| 245 | if (n < 3) { | 245 | if (n < 3) { |
| 246 | *txt = '\0'; | 246 | *txt = '\0'; |
| 247 | return txt-1; | 247 | return txt-1; |
| 248 | } | 248 | } |
| 249 | d1 = hextoint(*(txt+1)); | 249 | d1 = hextoint(*(txt+1)); |
| 250 | d2 = hextoint(*(txt+2)); | 250 | d2 = hextoint(*(txt+2)); |
| 251 | if (d1<0 || d2<0) { | 251 | if (d1<0 || d2<0) { |
| 252 | memmove(txt, txt+3, n-3); | 252 | memmove(txt, txt+3, n-2); |
| 253 | return txt-1; | 253 | return txt-1; |
| 254 | } else { | 254 | } else { |
| 255 | *txt = d1 * 16 + d2; | 255 | *txt = d1 * 16 + d2; |
| 256 | memmove(txt+1, txt+3, n-2); | 256 | memmove(txt+1, txt+3, n-2); |
| 257 | return txt; | 257 | return txt; |
| 258 | } | 258 | } |
| 259 | } | 259 | } |
| 260 | 260 | ||
| 261 | int http_parse_querystring(char *txt, void (*fn)(const char *name, const char *value)) | 261 | int http_parse_querystring(char *txt, void (*fn)(const char *name, const char *value)) |
| 262 | { | 262 | { |
| 263 | char *t, *value = NULL, c; | 263 | char *t, *value = NULL, c; |
| 264 | 264 | ||
| 265 | if (!txt) | 265 | if (!txt) |
| 266 | return 0; | 266 | return 0; |
| 267 | 267 | ||
| 268 | t = txt = strdup(txt); | 268 | t = txt = strdup(txt); |
| 269 | if (t == NULL) { | 269 | if (t == NULL) { |
| 270 | printf("Out of memory\n"); | 270 | printf("Out of memory\n"); |
| 271 | exit(1); | 271 | exit(1); |
| 272 | } | 272 | } |
| 273 | while((c=*t) != '\0') { | 273 | while((c=*t) != '\0') { |
| 274 | if (c=='=') { | 274 | if (c=='=') { |
| 275 | *t = '\0'; | 275 | *t = '\0'; |
| 276 | value = t+1; | 276 | value = t+1; |
| 277 | } else if (c=='+') { | 277 | } else if (c=='+') { |
| 278 | *t = ' '; | 278 | *t = ' '; |
| 279 | } else if (c=='%') { | 279 | } else if (c=='%') { |
| 280 | t = convert_query_hexchar(t); | 280 | t = convert_query_hexchar(t); |
| 281 | } else if (c=='&') { | 281 | } else if (c=='&') { |
| 282 | *t = '\0'; | 282 | *t = '\0'; |
| 283 | (*fn)(txt, value); | 283 | (*fn)(txt, value); |
| 284 | txt = t+1; | 284 | txt = t+1; |
| 285 | value = NULL; | 285 | value = NULL; |
| 286 | } | 286 | } |
| 287 | t++; | 287 | t++; |
| 288 | } | 288 | } |
| 289 | if (t!=txt) | 289 | if (t!=txt) |
| 290 | (*fn)(txt, value); | 290 | (*fn)(txt, value); |
| 291 | return 0; | 291 | return 0; |
| 292 | } | 292 | } |