You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apreq-cvs@httpd.apache.org by jo...@apache.org on 2003/04/15 23:47:23 UTC
cvs commit: httpd-apreq-2/src apreq.c apreq.h apreq_parsers.c
joes 2003/04/15 14:47:23
Modified: src apreq.c apreq.h apreq_parsers.c
Log:
Fix off-by-one errors in url parser.
Revision Changes Path
1.11 +1 -1 httpd-apreq-2/src/apreq.c
Index: apreq.c
===================================================================
RCS file: /home/cvs/httpd-apreq-2/src/apreq.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- apreq.c 15 Apr 2003 09:36:11 -0000 1.10
+++ apreq.c 15 Apr 2003 21:47:23 -0000 1.11
@@ -271,7 +271,7 @@
}
APREQ_DECLARE(apr_ssize_t) apreq_decode(char *d, const char *s,
- const apr_ssize_t slen)
+ const apr_size_t slen)
{
register int badesc = 0;
char *start = d;
1.11 +1 -1 httpd-apreq-2/src/apreq.h
Index: apreq.h
===================================================================
RCS file: /home/cvs/httpd-apreq-2/src/apreq.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- apreq.h 15 Apr 2003 09:36:11 -0000 1.10
+++ apreq.h 15 Apr 2003 21:47:23 -0000 1.11
@@ -69,7 +69,7 @@
/* url-escapes non-alphanumeric characters */
apr_size_t apreq_quote(char *dest, const char *src, const apr_size_t slen);
apr_size_t apreq_encode(char *dest, const char *src, const apr_size_t slen);
-apr_ssize_t apreq_decode(char *dest, const char *src, apr_ssize_t slen);
+apr_ssize_t apreq_decode(char *dest, const char *src, const apr_size_t slen);
APREQ_DECLARE(char *) apreq_escape(apr_pool_t *p,
const char *src, const apr_size_t slen);
1.11 +19 -34 httpd-apreq-2/src/apreq_parsers.c
Index: apreq_parsers.c
===================================================================
RCS file: /home/cvs/httpd-apreq-2/src/apreq_parsers.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- apreq_parsers.c 15 Apr 2003 09:36:11 -0000 1.10
+++ apreq_parsers.c 15 Apr 2003 21:47:23 -0000 1.11
@@ -154,7 +154,6 @@
{
apreq_param_t *param = apr_palloc(pool, nlen + vlen + 1 + sizeof *param);
apr_size_t total, off;
- const apr_size_t glen = 1;
apreq_value_t *v = ¶m->v;
param->bb = NULL;
@@ -176,9 +175,13 @@
if ( s != APR_SUCCESS )
return s;
- if (dlen > nlen - total) {
- apr_bucket_split(f, nlen - total);
- dlen = nlen - total;
+ total += dlen;
+
+ if (total >= nlen) {
+ dlen -= total - nlen;
+ apr_bucket_split(f, dlen);
+ if (data[dlen-1] == '=')
+ --dlen;
}
decoded_len = apreq_decode((char *)v->name + off, data, dlen);
@@ -187,35 +190,12 @@
return APR_BADARG;
}
- total += dlen;
off += decoded_len;
apr_bucket_delete(f);
}
((char *)v->name)[off] = 0;
- /* skip gap */
-
- off = 0;
- while (off < glen) {
- apr_size_t dlen;
- const char *data;
- apr_bucket *f = APR_BRIGADE_FIRST(bb);
- apr_status_t s = apr_bucket_read(f, &data, &dlen, APR_BLOCK_READ);
-
- if ( s != APR_SUCCESS )
- return s;
-
- if (dlen > glen - off) {
- apr_bucket_split(f, glen - off);
- dlen = glen - off;
- }
-
- off += dlen;
- apr_bucket_delete(f);
- }
-
-
off = 0;
total = 0;
while (total < vlen) {
@@ -228,9 +208,13 @@
if ( s != APR_SUCCESS )
return s;
- if (dlen > vlen - off) {
- apr_bucket_split(f, vlen - total);
- dlen = vlen - total;
+ total += dlen;
+
+ if (total >= vlen) {
+ dlen -= total - vlen;
+ apr_bucket_split(f, dlen);
+ if (data[dlen-1] == '&' || data[dlen-1] == ';')
+ --dlen;
}
decoded_len = apreq_decode(v->data + off, data, dlen);
@@ -239,7 +223,6 @@
return APR_BADCH;
}
- total += dlen;
off += decoded_len;
apr_bucket_delete(f);
}
@@ -282,8 +265,8 @@
if (APR_BUCKET_IS_EOS(e)) {
apreq_log(APREQ_DEBUG s, req->env,
"got eos bucket: %d, %d", nlen, vlen);
- return vlen == 0 ? APR_SUCCESS :
- split_urlword(pool, t, bb, nlen, vlen);
+ return parser->v.status == URL_NAME ? APR_SUCCESS :
+ split_urlword(pool, t, bb, nlen+1, vlen);
}
if ( s != APR_SUCCESS )
return s;
@@ -314,7 +297,9 @@
switch (data[off++]) {
case '&':
case ';':
- s = split_urlword(pool, t, bb, nlen, vlen + 1);
+ apreq_log(APREQ_DEBUG 0, req->env,
+ "got word: %d, %d", nlen, vlen);
+ s = split_urlword(pool, t, bb, nlen+1, vlen+1);
if (s != APR_SUCCESS)
return s;
goto parse_url_brigade;