summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2019-04-10 11:28:10 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2019-04-10 11:36:28 -0400
commit32120d5b8b3203fc21ccb9eafb0eaf824bb59354 (patch)
tree4a8e4dd5da23581505d3f4ab3222f190a99be344
parent107fa1f2827d281468e2c12b539751a5a68acbe5 (diff)
downloadlighttpd1.4-32120d5b8b3203fc21ccb9eafb0eaf824bb59354.zip
lighttpd1.4-32120d5b8b3203fc21ccb9eafb0eaf824bb59354.tar.gz
[core] fix abort in http-parseopts (fixes #2945)
fix abort in server.http-parseopts with url-path-2f-decode enabled (thx stze) x-ref: "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" https://redmine.lighttpd.net/issues/2945
-rw-r--r--src/burl.c6
-rw-r--r--src/t/test_burl.c2
2 files changed, 6 insertions, 2 deletions
diff --git a/src/burl.c b/src/burl.c
index 5118262..c4b928f 100644
--- a/src/burl.c
+++ b/src/burl.c
@@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i)
}
}
if (qs >= 0) {
- memmove(s+j, s+qs, blen - qs);
- j += blen - qs;
+ const int qslen = blen - qs;
+ memmove(s+j, s+qs, (size_t)qslen);
+ qs = j;
+ j += qslen;
}
buffer_string_set_length(b, j);
return qs;
diff --git a/src/t/test_burl.c b/src/t/test_burl.c
index 7be9be5..f7a1681 100644
--- a/src/t/test_burl.c
+++ b/src/t/test_burl.c
@@ -97,6 +97,8 @@ static void test_burl_normalize (void) {
flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE;
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/"));