#1 Bug with "?"

open
nobody
None
5
2006-04-04
2006-04-04
Davide Matarese
No

Hi Edualdo!
I'm going to use monkeyd in a development server. But
I noticied a fancy bug.
When I supplies a request of the form
"GET /some_uri?params HTTP/1.x" and the
page contains some link to other resources (es: <img
src=...>) monkeyd
announcie a "malloc: Cannot allocate memory" to the
resource request.
I found the problem source in request.c, line 284 and
above. If the client put
the HTTP header "Refer:
page_that_refer_this_resource" and that header
contains a "?", than some strage event occours
(query_end is > of query_init,
so malloc size is a negative number).
Note that this bug could appear even with other HTTP
header that include "?"
character

This is my fix [can be improved]:

line 284:
        /* Query String */
        if((query_init=str_search(request_body+uri_init,
"?", 1))>0){
                query_init+=uri_init+1;
                query_end = uri_end;
>>              if (query_init >= query_end)
>>              {
>>                      sr->query_string = NULL;
>>              }
>>              else
                {
                        uri_end = query_init - 1;
                        sr->query_string =
m_copy_string(request_body, query_init, query_end);
                }
        }
        else{
                sr->query_string=NULL;  
        }

NOTE:
- monkeyd version: 0.9.1 (even with gentoo patch)
- php-cgi support enabled
- IE, Firefox, Konqueror clients

Sorry for my english. I hope that this fix (or
similar) will be included in
mainstream.
Thanks for your attention!

Discussion

  • Logged In: YES
    user_id=27191
    Originator: NO

    thanks for your patch, 0.9.2 cooming soon