| | > this gives a redirect to something like
> site.com/get.asp=../views/xfd...
Bug spotted: a problem with fil_simplifie() which is
supposed to strip all ../ occurences in relative paths. The
problem: the routine was not stopping when reaching the
quesy string (?)
> Xavier, I mailed you about it with some more details. Just
> let me know if you need more info.
That's fine, thanks - the most complex thing to do with
thin kind of bug is to actually have a simple,
reproductible case. The rest is only trivial deduction :)
Here's the patch --
--- htslib.c.orig Fri Jan 30 21:14:57 2004
+++ htslib.c Fri Jan 30 21:14:45 2004
@@ -2290,7 +2290,8 @@
// éliminer ../
while (f[i]) {
-
+ if (f[i]=='?') // query string: that's all,
folks!
+ break;
if (f[i]=='/') {
if (f[i+1]=='.')
if (f[i+2]=='.') // couper dernier répertoire
@@ -2320,14 +2321,14 @@
}
// éliminer ./
- while ( (a=strstr(f,"./")) ) {
+ while ( (a=strstr_limit(f,"./","?")) ) {
char tempo[HTS_URLMAXSIZE*2];
tempo[0]='\0';
strcpybuff(tempo,a+2);
strcpybuff(a,tempo);
}
// delete all remaining ../ (potential threat)
- while ( (a=strstr(f,"../")) ) {
+ while ( (a=strstr_limit(f,"../","?")) ) {
char tempo[HTS_URLMAXSIZE*2];
tempo[0]='\0';
strcpybuff(tempo,a+3);
@@ -3134,6 +3135,21 @@
a=p+1;
}
}
+}
+
+// strrchr, but not too far
+char* strstr_limit(char* s, char* sub, char* limit) {
+ if (limit == NULL) {
+ return strstr(s, sub);
+ } else {
+ char* pos = strstr(s, sub);
+ if (pos != NULL) {
+ char* farpos = strstr(s, limit);
+ if (farpos == NULL || pos < farpos)
+ return pos;
+ }
+ }
+ return NULL;
}
--- htslib.h.orig Fri Jan 30 21:15:00 2004
+++ htslib.h Fri Jan 30 21:14:45 2004
@@ -260,6 +260,7 @@
HTSEXT_API char* adr_normalized(char* source, char* dest);
#endif
char* strrchr_limit(char* s, char c, char* limit);
+char* strstr_limit(char* s, char* sub, char* limit);
HTS_INLINE char* jump_protocol(char* source);
void code64(unsigned char* a,int size_a,unsigned char*
b,int crlf);
#ifndef HTTRACK_DEFLIB
| |
