[Boa-devel] Proposed Patch for 0.94.14rc14

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I am including my proposed patch for 0.94.14rc14, although it should
apply fairly cleanly for many 0.94.14rc's.

If anybody doesn't have 0.94.14rc14 but wants it (because I pulled it
from the website), please let me know, I'll get it to you.

If the original author wishes it, public thanks will be given later.

diff -ur boa-0.94.14rc14/src/request.c boa-0.94.14rc14.patched/src/request.c

--- boa-0.94.14rc14/src/request.c	2003-02-01 23:02:19.000000000 -0600
+++ boa-0.94.14rc14.patched/src/request.c	2003-02-17 22:55:54.000000000 -0600
@@ -614,15 +614,47 @@
         /* advance STOP until first '/' after host */
         stop += strlen(SERVER_METHOD) + 3;
         host = stop;
-        while (*stop != '\0' && *stop != '/')
+        while(*stop != '\0' && *stop != '/' && *stop != ' ')
             ++stop;
-        if (stop == host || *stop == '\0') {
+
+        if (stop2 < stop) {
+            /* Corruption in absolute URI */
+            /* This prevents a DoS attack from format string attacks */
+            log_error_doc(req);
+            fprintf(stderr, "corruption in absolute URI: %d \"%s\"\n",
+                    stop2 - stop, req->logline);
+            send_r_bad_request(req);
+            return(0);
+        } else if (stop == stop2) {
+            /* nothing *at all* after http:// */
             /* no host in absolute URI */
-            log_error_time();
-            fprintf(stderr, "no host in absolute URI: \"%s\"\n",
-                    req->request_uri);
+            log_error_doc(req);
+            fprintf(stderr, "nothing after http:// in absolute URI: \"%s\"\n", req->request_uri);
             send_r_bad_request(req);
-            return (0);
+            return(0);
+        }
+
+        /* stop2 > stop */
+        if (stop == host) {
+            /* host is one letter? */
+            if (*stop == '/') {
+                /* no host in absolute URI */
+                log_error_doc(req);
+                fprintf(stderr, "no host in absolute URI: \"%s\"\n", req->request_uri);
+                send_r_bad_request(req);
+                return(0);
+            } else {
+                /* host is valid, but there is no URL. */
+                log_error_doc(req);
+                fprintf(stderr, "no URL in absolute URI: \"%s\"\n", req->request_uri);
+                send_r_bad_request(req);
+                return(0);
+            }
+        } else {
+            /* stop2 < stop, so we have *something* after http://
+             * stop > host, thus host is good, and we have an URL
+             */
+            ;
         }
         /* copy the URI */
         memcpy(req->request_uri, stop, stop2 - stop);

--
"Never try to write to ROM - it wastes your time and annoys the ROM."

Jon Nelson <jn...@ja...>
C and Python Code Gardener


