mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-16 03:24:07 +00:00
Code Issues Releases Activity
64b1d041ac
freebsd-ports/www/cgihtml/files/patch-aa
Peter Pentchev cb98017ae9 Fix the vulnerabilities reported in Chris Leishman's BugTraq post of 
2003/01/07, and a couple of other ones while I'm here.  This could
still benefit from an in-depth audit, though.
Bump PORTREVISION, unquote COMMENT, remove the FORBIDDEN tag.
2003-10-27 12:18:06 +00:00

122 lines
3.6 KiB
Plaintext
Raw Blame History

Index: cgi-lib.c
===================================================================
RCS file: /home/cvs/ringlet/c/contrib/www/cgihtml/cgi-lib.c,v
retrieving revision 1.1.1.1
retrieving revision 1.6
diff -u -r1.1.1.1 -r1.6
--- cgi-lib.c 27 Oct 2003 09:39:04 -0000 1.1.1.1
+++ cgi-lib.c 27 Oct 2003 12:07:00 -0000 1.6
@@ -17,6 +17,10 @@
#ifdef WINDOWS
#include <io.h>
+#define mktemp _mktemp
+#define snprintf _snprintf
+#else
+#include <unistd.h>
#endif
#include "cgi-lib.h"
@@ -87,11 +91,11 @@
char *get_POST()
{
- unsigned int content_length;
+ size_t content_length;
char *buffer;
if (CONTENT_LENGTH != NULL) {
- content_length = atoi(CONTENT_LENGTH);
+ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10);
buffer = (char *)malloc(sizeof(char) * content_length + 1);
if (fread(buffer,sizeof(char),content_length,stdin) != content_length) {
/* consistency error. */
@@ -202,7 +206,7 @@
int parse_form_encoded(llist* entries)
{
- long content_length;
+ size_t content_length, fnsize;
entrytype entry;
node* window;
FILE *uploadfile;
@@ -220,7 +224,7 @@
_fmode = BINARY; /* default all file I/O as binary */
#endif
if (CONTENT_LENGTH != NULL)
- content_length = atol(CONTENT_LENGTH);
+ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10);
else
return 0;
/* get boundary */
@@ -241,14 +245,20 @@
robustness sake. */
buffer[bytesread] = '\0';
tempstr = newstr(buffer);
- tempstr += (sizeof(char) * 38); /* 38 is header up to name */
- entry.name = tempstr;
+ entry.name = strstr(tempstr, "name=\"");
+ if (entry.name == NULL) {
+ free(tempstr);
+ return 0;
+ }
+ entry.name += 6;
+ if (strchr(entry.name, '"') == NULL) {
+ free(tempstr);
+ return 0;
+ }
+ *strchr(entry.name, '"') = '\0';
entry.value = (char *)malloc(sizeof(char) * BUFSIZ + 1);
buffersize = BUFSIZ;
strcpy(entry.value,"");
- while (*tempstr != '"')
- tempstr++;
- *tempstr = '\0';
if (strstr(buffer,"filename=\"") != NULL) {
isfile = 1;
tempstr = newstr(buffer);
@@ -258,9 +268,9 @@
entry.value = (char *) realloc(entry.value, sizeof(char) *
strlen(tempstr)+1);
entry.value = tempstr;
- while (*tempstr != '"')
- tempstr++;
- *tempstr = '\0';
+ if (strchr(tempstr, '"') == NULL)
+ return 0;
+ *strchr(tempstr, '"') = '\0';
/* Netscape's Windows browsers handle paths differently from its
UNIX and Mac browsers. It delivers a full path for the uploaded
file (which it shouldn't do), and it uses backslashes rather than
@@ -275,13 +285,12 @@
}
window = list_insafter(entries,window,entry);
numentries++;
- uploadfname = (char *)malloc(strlen(UPLOADDIR)+strlen(entry.value)+2);
-#ifdef WINDOWS
- sprintf(uploadfname,"%s\\%s",UPLOADDIR,entry.value);
-#else
- sprintf(uploadfname,"%s/%s",UPLOADDIR,entry.value);
-#endif
- if ( (uploadfile = fopen(uploadfname,"w")) == NULL) {
+ fnsize = strlen(UPLOADDIR) + 30;
+ uploadfname = (char *)malloc(fnsize);
+ snprintf(uploadfname,fnsize,"%s/cgihtml-upload-XXXXXX",UPLOADDIR);
+ uploadfname[fnsize - 1] = '\0';
+ if (mktemp(uploadfname) == NULL ||
+ (uploadfile = fopen(uploadfname,"w")) == NULL) {
/* null filename; for now, just don't save info. later, save
to default file */
isfile = 0;
@@ -529,9 +538,9 @@
int numcookies = 0;
short NM = 1;
+ list_create(entries);
if (cookies == NULL)
return 0;
- list_create(entries);
window = entries->head;
len = strlen(cookies);
entry.name = (char *)malloc(sizeof(char) * len + 1);
Reference in New Issue View Git Blame Copy Permalink