You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2007/01/23 22:06:46 UTC

Re: svn commit: r490156 - /httpd/httpd/trunk/modules/metadata/mod_headers.c


On 12/25/2006 06:40 PM, niq@apache.org wrote:
> Author: niq
> Date: Mon Dec 25 09:40:10 2006
> New Revision: 490156
> 
> URL: http://svn.apache.org/viewvc?view=rev&rev=490156
> Log:
> PR#36609 - permit % as the last character of a Header value
> 
> Modified:
>     httpd/httpd/trunk/modules/metadata/mod_headers.c
> 
> Modified: httpd/httpd/trunk/modules/metadata/mod_headers.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_headers.c?view=diff&rev=490156&r1=490155&r2=490156
> ==============================================================================
> --- httpd/httpd/trunk/modules/metadata/mod_headers.c (original)
> +++ httpd/httpd/trunk/modules/metadata/mod_headers.c Mon Dec 25 09:40:10 2006
> @@ -305,8 +305,8 @@
>      }
>      s++; /* skip the % */
>  
> -    /* Pass through %% as % */
> -    if (*s == '%') {
> +    /* Pass through %% or % at end of string as % */
> +    if ((*s == '%') || (*s == '\0')) {
>          tag->func = constant_item;
>          tag->arg = "%";
>          *sa = ++s;

Doesn't this create an off-by-one error?

Lets s look like the following: s = "%\0t"

This would result in pointing *sa to t.

But in line 360 we have the following loop:

   while (*s) {
        if ((res = parse_format_tag(p, (format_tag *) apr_array_push(hdr->ta), &s))) {
            return res;
        }
    }

It would then start to process the memory region starting with t with parse_format_tag.

I think the following should fix this:

Index: modules/metadata/mod_headers.c
===================================================================
--- modules/metadata/mod_headers.c      (Revision 495852)
+++ modules/metadata/mod_headers.c      (Arbeitskopie)
@@ -309,7 +309,9 @@
     if ((*s == '%') || (*s == '\0')) {
         tag->func = constant_item;
         tag->arg = "%";
-        *sa = ++s;
+        if (*s)
+            s++;
+        *sa = s;
         return NULL;
     }



Regards

RĂ¼diger

Re: svn commit: r490156 - /httpd/httpd/trunk/modules/metadata/mod_headers.c

Posted by Nick Kew <ni...@webthing.com>.
On Tue, 23 Jan 2007 22:06:46 +0100
Ruediger Pluem <rp...@apache.org> wrote:


> > -    /* Pass through %% as % */
> > -    if (*s == '%') {
> > +    /* Pass through %% or % at end of string as % */
> > +    if ((*s == '%') || (*s == '\0')) {
> >          tag->func = constant_item;
> >          tag->arg = "%";
> >          *sa = ++s;
> 
> Doesn't this create an off-by-one error?
> 
> Lets s look like the following: s = "%\0t"

%\0  ??  Oook!

> This would result in pointing *sa to t.
> 
> But in line 360 we have the following loop:
> 
>    while (*s) {
>         if ((res = parse_format_tag(p, (format_tag *)
> apr_array_push(hdr->ta), &s))) { return res;
>         }
>     }
> 
> It would then start to process the memory region starting with t with
> parse_format_tag.

Heh!

> I think the following should fix this:

Yep, looks right, thanks.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/