Please sign in to comment.
Accepted patches from Jeffrey Hutzelman:
I've attached a patch that fixes several problems we found in CGIC 2.05. I can split these up into multiple patches, if that's helpful, but as it is each fix is fairly self-contained. * In main(), when parsing form input fails, the CGI script exits without producing any output whatsoever. Wouldn't it be better to actually emit an error status, instead of expecting the server to do something sane with a script that produces no output? * In mpRead(), a check is done to insure the requested length is not greater than the amount of data still available, and to adjust it if necessary. However, this check is currently done _after_ reading data from the putback buffer, in which process len is decremented by the amount of putback data read, but mpp->offset is not correspondingly incremented (this happens later). As a result, the check uses too small a value for len, and so fails to stop reading soon enough if the requested length is greater than what is available _and_ there was any data in the putback buffer. The fix is to move the check to the beginning of mpRead() * Further, if a read request is satisfied _entirely_ from the putback buffer, mpp->offset is not updated at all, resulting in a similar problem. The solution is to update mpp->offset in the "else if (got)" case. * In cgiParsePostMultipartInput(), if the Content-Disposition of a part is not "form-data", afterNextBoundary() is not called before beginning to process the next part. As a result, parsing of the next part headers begins with the body of the unwanted part. It is necessary in this case to call afterNextBoundary() before continuing with the next cycle. * In handling out-of-memory conditions in afterNextBoundary(), *outP is set to '\0'. While this is technically legal ('\0' is "an integral constant expression with the value 0"), it looks funny. * In cgiCookieString(), a change was introduced in v2.02 which purports to prevent an overrun in cases where cgiCookie is exactly equal to the requested cookie name. In fact, the problem can also occur if the requested name occurs with no values at the end of cgiCookie. Further, the change from v2.02 does not fix the problem, because it compares the _pointers_ p and n to NULL, which they will never equal, rather than comparing the pointers they point at to NUL. * Also in cgiCookieString(), there is a comment suggesting that the main loop never terminates except with a return. This is not the case. For example, it will terminate if the requested cookie is not found and the cgiCookie string ends in a semicolon. * Why did days (formerly daysOfWeek) and months become non-static? This pollutes the namespace of programs using CGIC. * In cgiReadEnvironment(), when reading in the contents of an uploaded file, it is possible that a temporary file is successfully created but then cannot be opened. In this case, no attempt is made to remove the tempoary file. * Further, when a form entry does _not_ include an uploaded file, e->tfileName is set to malloc'd but uninitialized memory. It should be set to an empty string, by setting e->tfileName to zero after the 1-byte buffer is allocated.
- Loading branch information...