From 49ac08e2e4d3f71fed66ce1ce5b3d7aefe73f2ed Mon Sep 17 00:00:00 2001
From: John Tytgat <joty@netsurf-browser.org>
Date: Sat, 1 May 2004 21:37:29 +0000
Subject: [project @ 2004-05-01 21:37:29 by joty] fetch_curl_header() : better
 protection against malformed header lines; realm data line is now properly
 terminated with NUL character.

svn path=/import/netsurf/; revision=810
---
 content/fetch.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

(limited to 'content')

diff --git a/content/fetch.c b/content/fetch.c
index d5bd31733..55ef247f5 100644
--- a/content/fetch.c
+++ b/content/fetch.c
@@ -609,33 +609,44 @@ size_t fetch_curl_header(char * data, size_t size, size_t nmemb, struct fetch *f
 			LOG(("malloc failed"));
 			return size;
 		}
-		for (i = 9; data[i] == ' ' || data[i] == '\t'; i++)
-			;
+		for (i = 9; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+			/* */;
 		strncpy(f->location, data + i, size - i);
-		for (i = size - i - 1; f->location[i] == ' ' ||
+		f->location[size - i] = '\0';
+		for (i = size - i - 1; i >= 0 &&
+				(f->location[i] == ' ' ||
 				f->location[i] == '\t' ||
 				f->location[i] == '\r' ||
-				f->location[i] == '\n'; i--)
+				f->location[i] == '\n'); i--)
 			f->location[i] = '\0';
 	} else if (15 < size && strncasecmp(data, "Content-Length:", 15) == 0) {
 		/* extract Content-Length header */
-		for (i = 15; data[i] == ' ' || data[i] == '\t'; i++)
-			;
+		for (i = 15; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+			/* */;
 		if ('0' <= data[i] && data[i] <= '9')
 			f->content_length = atol(data + i);
 #ifdef WITH_AUTH
-	} else if (16 < size && strncasecmp(data, "WWW-Authenticate",16) == 0) {
-		/* extract Realm from WWW-Authenticate header */
+	} else if (16 < size && strncasecmp(data, "WWW-Authenticate", 16) == 0) {
+		/* extract the first Realm from WWW-Authenticate header */
 		free(f->realm);
 		f->realm = malloc(size);
 		if (!f->realm) {
 			LOG(("malloc failed"));
 			return size;
 		}
-		/** \todo  this code looks dangerous */
-	        for (i=16;(unsigned int)i!=strlen(data);i++)
-	               if(data[i]=='=')break;
-	        strncpy(f->realm, data+i+2, size-i-5);
+		for (i = 16; i < size && data[i] != '='; i++)
+			/* */;
+		while (i < size && data[++i] == '"')
+			/* */;
+		strncpy(f->realm, data + i, size - i);
+		f->realm[size - i] = '\0';
+		for (i = size - i - 1; i >= 0 &&
+				(f->realm[i] == ' ' ||
+				f->realm[i] == '"' ||
+				f->realm[i] == '\t' ||
+				f->realm[i] == '\r' ||
+				f->realm[i] == '\n'); --i)
+			f->realm[i] = '\0';
 #endif
 	}
 	return size;
-- 
cgit v1.2.3