You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/26 01:58:20 UTC
Re: [PATCH] fix mod_info output corruption
+1
> This bug was added during the buffer overflow patch. mod_info was
> printing garbage whenever it encountered < or >. This patch fixes that
> and also allows it to escape & should it ever need to. (We should
> probably have a standard escaping function.)
>
> Dean
>
> Index: mod_info.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_info.c,v
> retrieving revision 1.10
> diff -c -3 -r1.10 mod_info.c
> *** mod_info.c 1997/01/20 04:28:14 1.10
> --- mod_info.c 1997/01/26 00:27:24
> ***************
> *** 89,107 ****
> char *mod_info_html_cmd_string(char *string) {
> char *s,*t;
> static char ret[256]; /* What is the max size of a command? */
>
> ret[0]='\0';
> s = string;
> t=ret;
> ! while((*s) && (strlen(t) < 256)) {
> if(*s=='<') {
> ! strncat(t,"<", sizeof(ret)-strlen(ret));
> t+=4*sizeof(char);
> } else if(*s=='>') {
> ! strncat(t,">", sizeof(ret)-strlen(ret));
> t+=4*sizeof(char);
> }
> - else *t++=*s;
> s++;
> }
> *t='\0';
> --- 89,113 ----
> char *mod_info_html_cmd_string(char *string) {
> char *s,*t;
> static char ret[256]; /* What is the max size of a command? */
> + char *end_ret;
>
> ret[0]='\0';
> s = string;
> t=ret;
> ! end_ret = t + sizeof(ret);
> ! while((*s) && ((t-ret) < sizeof(ret))) {
> if(*s=='<') {
> ! strncpy(t,"<", end_ret - t);
> t+=4*sizeof(char);
> } else if(*s=='>') {
> ! strncpy(t,">", end_ret - t);
> t+=4*sizeof(char);
> + } else if(*s=='&') {
> + strncpy(t,"&", end_ret - t);
> + t+=5*sizeof(char);
> + } else {
> + *t++=*s;
> }
> s++;
> }
> *t='\0';
>