mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-29 01:13:08 +00:00
176 lines
5.2 KiB
Plaintext
176 lines
5.2 KiB
Plaintext
|
commit d97e03f32741a7d851826b03ed73ff4c9612a866
|
||
|
Author: Eric Stanley <estanley@nagios.com>
|
||
|
Date: 2013-12-20 13:14:30 -0600
|
||
|
|
||
|
CGIs: Fixed minor vulnerability where a custom query could crash the CGI.
|
||
|
|
||
|
Most CGIs previously incremented the input variable counter twice when
|
||
|
it encountered a long key value. This could cause the CGI to read past
|
||
|
the end of the list of CGI variables. This commit removes the second
|
||
|
increment, removing the possibility of reading past the end of the list
|
||
|
of CGI variables.
|
||
|
|
||
|
diff --git ./cgi/avail.c ./cgi/avail.c
|
||
|
index 76afd86..64eaadc 100644
|
||
|
--- ./cgi/avail.c
|
||
|
+++ ./cgi/avail.c
|
||
|
@@ -1096,7 +1096,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/cmd.c ./cgi/cmd.c
|
||
|
index fa6cf5a..50504eb 100644
|
||
|
--- ./cgi/cmd.c
|
||
|
+++ ./cgi/cmd.c
|
||
|
@@ -311,7 +311,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/config.c ./cgi/config.c
|
||
|
index f061b0f..3360e70 100644
|
||
|
--- ./cgi/config.c
|
||
|
+++ ./cgi/config.c
|
||
|
@@ -344,7 +344,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/extinfo.c ./cgi/extinfo.c
|
||
|
index 62a1b18..5113df4 100644
|
||
|
--- ./cgi/extinfo.c
|
||
|
+++ ./cgi/extinfo.c
|
||
|
@@ -591,7 +591,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/histogram.c ./cgi/histogram.c
|
||
|
index 4616541..f6934d0 100644
|
||
|
--- ./cgi/histogram.c
|
||
|
+++ ./cgi/histogram.c
|
||
|
@@ -1060,7 +1060,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/notifications.c ./cgi/notifications.c
|
||
|
index 8ba11c1..461ae84 100644
|
||
|
--- ./cgi/notifications.c
|
||
|
+++ ./cgi/notifications.c
|
||
|
@@ -327,7 +327,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/outages.c ./cgi/outages.c
|
||
|
index 426ede6..cb58dee 100644
|
||
|
--- ./cgi/outages.c
|
||
|
+++ ./cgi/outages.c
|
||
|
@@ -225,7 +225,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/status.c ./cgi/status.c
|
||
|
index 3253340..4ec1c92 100644
|
||
|
--- ./cgi/status.c
|
||
|
+++ ./cgi/status.c
|
||
|
@@ -567,7 +567,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/statusmap.c ./cgi/statusmap.c
|
||
|
index ea48368..2580ae5 100644
|
||
|
--- ./cgi/statusmap.c
|
||
|
+++ ./cgi/statusmap.c
|
||
|
@@ -400,7 +400,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/statuswml.c ./cgi/statuswml.c
|
||
|
index bd8cea2..d25abef 100644
|
||
|
--- ./cgi/statuswml.c
|
||
|
+++ ./cgi/statuswml.c
|
||
|
@@ -226,8 +226,13 @@ int process_cgivars(void) {
|
||
|
|
||
|
for(x = 0; variables[x] != NULL; x++) {
|
||
|
|
||
|
+ /* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
+ if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+
|
||
|
/* we found the hostgroup argument */
|
||
|
- if(!strcmp(variables[x], "hostgroup")) {
|
||
|
+ else if(!strcmp(variables[x], "hostgroup")) {
|
||
|
display_type = DISPLAY_HOSTGROUP;
|
||
|
x++;
|
||
|
if(variables[x] == NULL) {
|
||
|
diff --git ./cgi/summary.c ./cgi/summary.c
|
||
|
index 126ce5e..749a02c 100644
|
||
|
--- ./cgi/summary.c
|
||
|
+++ ./cgi/summary.c
|
||
|
@@ -725,7 +725,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./cgi/trends.c ./cgi/trends.c
|
||
|
index b35c18e..895db01 100644
|
||
|
--- ./cgi/trends.c
|
||
|
+++ ./cgi/trends.c
|
||
|
@@ -1263,7 +1263,6 @@ int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
diff --git ./contrib/daemonchk.c ./contrib/daemonchk.c
|
||
|
index 78716e5..9bb6c4b 100644
|
||
|
--- ./contrib/daemonchk.c
|
||
|
+++ ./contrib/daemonchk.c
|
||
|
@@ -174,7 +174,6 @@ static int process_cgivars(void) {
|
||
|
|
||
|
/* do some basic length checking on the variable identifier to prevent buffer overflows */
|
||
|
if(strlen(variables[x]) >= MAX_INPUT_BUFFER - 1) {
|
||
|
- x++;
|
||
|
continue;
|
||
|
}
|
||
|
}
|