You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2002/03/21 17:02:03 UTC
cvs commit: apache-1.3/src/main gen_test_char.c
wrowe 02/03/21 08:02:03
Modified: src/main gen_test_char.c
Log:
Add % and \r [C/R] to the dangerous Win32/OS2 characters.
Retain the Unix sh escapes list for compatibility.
[William Rowe]
Revision Changes Path
1.7 +15 -1 apache-1.3/src/main/gen_test_char.c
Index: gen_test_char.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/gen_test_char.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- gen_test_char.c 9 Feb 1999 12:29:56 -0000 1.6
+++ gen_test_char.c 21 Mar 2002 16:02:03 -0000 1.7
@@ -37,9 +37,23 @@
printf("\n ");
/* escape_shell_cmd */
- if (strchr("&;`'\"|*?~<>^()[]{}$\\\n", c)) {
+#if defined(WIN32) || defined(OS2)
+ /* Win32/OS2 have many of the same vulnerable characters
+ * as Unix sh, plus the carriage return and percent char.
+ * The proper escaping of these characters varies from unix
+ * since Win32/OS2 use carets or doubled-double quotes,
+ * and neither lf nor cr can be escaped. We escape unix
+ * specific as well, to assure that cross-compiled unix
+ * applications behave similiarly when invoked on win32/os2.
+ */
+ if (strchr("&;`'\"|*?~<>^()[]{}$\\\n\r%", c)) {
flags |= T_ESCAPE_SHELL_CMD;
}
+#else
+ if (strchr("&;`'\"|*?~<>^()[]{}$\\\n", c)) {
+ flags |= T_ESCAPE_SHELL_CMD;
+ }
+#endif
if (!ap_isalnum(c) && !strchr("$-_.+!*'(),:@&=~", c)) {
flags |= T_ESCAPE_PATH_SEGMENT;