pike.git/ src/ modules/ _Roxen/ roxen.c

2016-06-29

2016-06-29 10:49:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

• 14bd48f3609aa3d8b3fd5c63608bd9383b47d49d (35 lines) (+32/-3) ^{[ Show | Annotate ]}
  Branch: 8.0

Roxen: Improved argument checking in make_http_headers().

Ensure that the formatted headers are valid.

Fixes the entire class of bugs that [bug 7737 (#7737)] represents.

305:   /*! @endclass    */    + static int valid_header_name(struct pike_string *s) + { +  ptrdiff_t i; +  if (s->size_shift) return 0; +  for (i = 0; i < s->len; i++) { +  int c = s->str[i]; +  if ((c == '\n') || (c == '\r') || (c == '\t') || (c == ' ') || (c == ':')) { +  // The header formatting should not be broken by strange header names. +  return 0; +  } +  } +  return 1; + } +  + static int valid_header_value(struct pike_string *s) + { +  ptrdiff_t i; +  if (s->size_shift) return 0; +  for (i = 0; i < s->len; i++) { +  int c = s->str[i]; +  if ((c == '\n') || (c == '\r')) { +  // The header formatting should not be broken by strange header values. +  return 0; +  } +  } +  return 1; + } +    static void f_make_http_headers( INT32 args )   /*! @decl string @    *! make_http_headers(mapping(string:string|array(string)) headers, @
332:    /* loop to check len */    NEW_MAPPING_LOOP( m->data )    { -  if( TYPEOF(k->ind) != PIKE_T_STRING || k->ind.u.string->size_shift ) +  if( TYPEOF(k->ind) != PIKE_T_STRING || !valid_header_name(k->ind.u.string) )    Pike_error("Wrong argument type to make_http_headers("    "mapping(string(8bit):string(8bit)|array(string(8bit))) heads)\n"); -  if( TYPEOF(k->val) == PIKE_T_STRING && !k->val.u.string->size_shift ) +  if( TYPEOF(k->val) == PIKE_T_STRING && valid_header_value(k->val.u.string) )    total_len += k->val.u.string->len + 2 + k->ind.u.string->len + 2;    else if( TYPEOF(k->val) == PIKE_T_ARRAY )    {
343:    ptrdiff_t i, kl = k->ind.u.string->len + 2 ;    for( i = 0; i<a->size; i++ )    if( TYPEOF(a->item[i]) != PIKE_T_STRING || -  a->item[i].u.string->size_shift ) +  !valid_header_value(a->item[i].u.string) )    Pike_error("Wrong argument type to make_http_headers("    "mapping(string(8bit):string(8bit)|"    "array(string(8bit))) heads)\n");