[Boa-devel] Proposed Patch for 0.94.14rc14
Brought to you by:
jnelson
From: Jon N. <jn...@ja...> - 2003-02-18 05:04:51
|
I am including my proposed patch for 0.94.14rc14, although it should apply fairly cleanly for many 0.94.14rc's. If anybody doesn't have 0.94.14rc14 but wants it (because I pulled it from the website), please let me know, I'll get it to you. If the original author wishes it, public thanks will be given later. diff -ur boa-0.94.14rc14/src/request.c boa-0.94.14rc14.patched/src/request.c --- boa-0.94.14rc14/src/request.c 2003-02-01 23:02:19.000000000 -0600 +++ boa-0.94.14rc14.patched/src/request.c 2003-02-17 22:55:54.000000000 -0600 @@ -614,15 +614,47 @@ /* advance STOP until first '/' after host */ stop += strlen(SERVER_METHOD) + 3; host = stop; - while (*stop != '\0' && *stop != '/') + while(*stop != '\0' && *stop != '/' && *stop != ' ') ++stop; - if (stop == host || *stop == '\0') { + + if (stop2 < stop) { + /* Corruption in absolute URI */ + /* This prevents a DoS attack from format string attacks */ + log_error_doc(req); + fprintf(stderr, "corruption in absolute URI: %d \"%s\"\n", + stop2 - stop, req->logline); + send_r_bad_request(req); + return(0); + } else if (stop == stop2) { + /* nothing *at all* after http:// */ /* no host in absolute URI */ - log_error_time(); - fprintf(stderr, "no host in absolute URI: \"%s\"\n", - req->request_uri); + log_error_doc(req); + fprintf(stderr, "nothing after http:// in absolute URI: \"%s\"\n", req->request_uri); send_r_bad_request(req); - return (0); + return(0); + } + + /* stop2 > stop */ + if (stop == host) { + /* host is one letter? */ + if (*stop == '/') { + /* no host in absolute URI */ + log_error_doc(req); + fprintf(stderr, "no host in absolute URI: \"%s\"\n", req->request_uri); + send_r_bad_request(req); + return(0); + } else { + /* host is valid, but there is no URL. */ + log_error_doc(req); + fprintf(stderr, "no URL in absolute URI: \"%s\"\n", req->request_uri); + send_r_bad_request(req); + return(0); + } + } else { + /* stop2 < stop, so we have *something* after http:// + * stop > host, thus host is good, and we have an URL + */ + ; } /* copy the URI */ memcpy(req->request_uri, stop, stop2 - stop); -- "Never try to write to ROM - it wastes your time and annoys the ROM." Jon Nelson <jn...@ja...> C and Python Code Gardener |