summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Tytgat <joty@netsurf-browser.org>2004-05-01 21:37:29 +0000
committerJohn Tytgat <joty@netsurf-browser.org>2004-05-01 21:37:29 +0000
commit49ac08e2e4d3f71fed66ce1ce5b3d7aefe73f2ed (patch)
treee1047938994d35e672b022e740c9a9ca217b1e9b
parentdcfa1164d366f4fbcbbed60bb00a1e12c7d4ea3f (diff)
downloadnetsurf-49ac08e2e4d3f71fed66ce1ce5b3d7aefe73f2ed.tar.gz
netsurf-49ac08e2e4d3f71fed66ce1ce5b3d7aefe73f2ed.tar.bz2
[project @ 2004-05-01 21:37:29 by joty]
fetch_curl_header() : better protection against malformed header lines; realm data line is now properly terminated with NUL character. svn path=/import/netsurf/; revision=810
-rw-r--r--content/fetch.c35
1 files changed, 23 insertions, 12 deletions
diff --git a/content/fetch.c b/content/fetch.c
index d5bd31733..55ef247f5 100644
--- a/content/fetch.c
+++ b/content/fetch.c
@@ -609,33 +609,44 @@ size_t fetch_curl_header(char * data, size_t size, size_t nmemb, struct fetch *f
LOG(("malloc failed"));
return size;
}
- for (i = 9; data[i] == ' ' || data[i] == '\t'; i++)
- ;
+ for (i = 9; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+ /* */;
strncpy(f->location, data + i, size - i);
- for (i = size - i - 1; f->location[i] == ' ' ||
+ f->location[size - i] = '\0';
+ for (i = size - i - 1; i >= 0 &&
+ (f->location[i] == ' ' ||
f->location[i] == '\t' ||
f->location[i] == '\r' ||
- f->location[i] == '\n'; i--)
+ f->location[i] == '\n'); i--)
f->location[i] = '\0';
} else if (15 < size && strncasecmp(data, "Content-Length:", 15) == 0) {
/* extract Content-Length header */
- for (i = 15; data[i] == ' ' || data[i] == '\t'; i++)
- ;
+ for (i = 15; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+ /* */;
if ('0' <= data[i] && data[i] <= '9')
f->content_length = atol(data + i);
#ifdef WITH_AUTH
- } else if (16 < size && strncasecmp(data, "WWW-Authenticate",16) == 0) {
- /* extract Realm from WWW-Authenticate header */
+ } else if (16 < size && strncasecmp(data, "WWW-Authenticate", 16) == 0) {
+ /* extract the first Realm from WWW-Authenticate header */
free(f->realm);
f->realm = malloc(size);
if (!f->realm) {
LOG(("malloc failed"));
return size;
}
- /** \todo this code looks dangerous */
- for (i=16;(unsigned int)i!=strlen(data);i++)
- if(data[i]=='=')break;
- strncpy(f->realm, data+i+2, size-i-5);
+ for (i = 16; i < size && data[i] != '='; i++)
+ /* */;
+ while (i < size && data[++i] == '"')
+ /* */;
+ strncpy(f->realm, data + i, size - i);
+ f->realm[size - i] = '\0';
+ for (i = size - i - 1; i >= 0 &&
+ (f->realm[i] == ' ' ||
+ f->realm[i] == '"' ||
+ f->realm[i] == '\t' ||
+ f->realm[i] == '\r' ||
+ f->realm[i] == '\n'); --i)
+ f->realm[i] = '\0';
#endif
}
return size;