[Xapian-tickets] [Xapian] #578: omega GET query parsing defects and fix
Xapian
nobody at xapian.org
Mon Nov 14 05:39:19 GMT 2011
#578: omega GET query parsing defects and fix
--------------------+-------------------------------------------------------
Reporter: catkin | Owner: olly
Type: defect | Status: new
Priority: normal | Milestone:
Component: Omega | Version: 1.2.7
Severity: normal | Blockedby:
Platform: All | Blocking:
--------------------+-------------------------------------------------------
Without this patch:
- if the QUERY_STRING ends with a '%', the parsing routine
will overrun the QUERY_STRING (if it is followed in memory
by only a single NUL byte).
- omega stops parsing GET query parameters if there are
two consecutive ampersands in QUERY_STRING.
- omega tries to parse anything following a percent sign.
Other implementations do not try to parse malformed escape
sequences.
The patch is also attached as a file
----
diff -Naur xapian-omega-1.2.7-original/cgiparam.cc xapian-
omega-1.2.7/cgiparam.cc
--- xapian-omega-1.2.7-original/cgiparam.cc 2011-08-10
09:49:12.000000000 +0300
+++ xapian-omega-1.2.7/cgiparam.cc 2011-11-13 08:10:15.021566998
+0200
@@ -180,20 +180,28 @@
while (1) {
ch = *q_str++;
if (ch == '\0' || ch == '&') {
- if (name.empty()) return; // end on blank line
- add_param(name, val);
+ if (!name.empty()) add_param(name, val);
+ if (ch == '\0')
+ return;
break;
}
char orig_ch = ch;
if (ch == '+')
ch = ' ';
- else if (ch == '%') {
- int c = *q_str++;
- ch = (c & 0xf) + ((c & 64) ? 9 : 0);
- if (c) c = *q_str++;
- ch = ch << 4;
- ch |= (c & 0xf) + ((c & 64) ? 9 : 0);
- if (!c) return; // unfinished % code
+ else if (ch == '%' &&
+ ((q_str[0] >= '0' && q_str[0] <= '9') ||
+ (q_str[0] >= 'A' && q_str[0] <= 'F') ||
+ (q_str[0] >= 'a' && q_str[0] <= 'f')) &&
+ ((q_str[1] >= '0' && q_str[1] <= '9') ||
+ (q_str[1] >= 'A' && q_str[1] <= 'F') ||
+ (q_str[1] >= 'a' && q_str[1] <= 'f'))) {
+ const int c1 = q_str[0], c2 = q_str[1];
+ int c;
+ c = ( (c1 & 0xf) + ((c1 & 64) ? 9 : 0) ) << 4
+ + ( (c2 & 0xf) + ((c2 & 64) ? 9 : 0) );
+ q_str += 2;
+ if (!c)
+ continue;
}
if (had_equals) {
val += char(ch);
--
Ticket URL: <http://trac.xapian.org/ticket/578>
Xapian <http://xapian.org/>
Xapian
More information about the Xapian-tickets
mailing list