Browse files

Add a workaround for a squidGuard bug that unescape the URL and send …

…it back unescaped. This could conduct in wrong result and ssquidclamav crash especially with URL containing the %0D or %0A character. John Xue
  • Loading branch information...
1 parent 5806d10 commit 80f74451f628264d1d9a1f1c0bbcebc932ba5e00 @darold committed Jul 24, 2012
Showing with 43 additions and 2 deletions.
  1. +43 −2 src/squidclamav.c
View
45 src/squidclamav.c
@@ -133,7 +133,7 @@ void cfgreload_command(char *, int, char **);
int create_pipe(char *command);
int dconnect (void);
int connectINET(char *serverHost, uint16_t serverPort);
-
+char * replace(const char *s, const char *old, const char *new);
/* ----------------------------------------------------- */
@@ -365,10 +365,14 @@ int squidclamav_check_preview_handler(char *preview_data, int preview_data_len,
/* Check URL header against squidGuard */
if (usepipe == 1) {
+ char *rbuff = NULL;
ci_debug_printf(2, "DEBUG squidclamav_check_preview_handler: Sending request to chained program: %s\n", squidguard);
ci_debug_printf(2, "DEBUG squidclamav_check_preview_handler: Request: %s %s %s %s\n", httpinf.url,clientip,username,httpinf.method);
- fprintf(sgfpw,"%s %s %s %s\n",httpinf.url,clientip,username,httpinf.method);
+ /* escaping escaped character to prevent unescaping by squidguard */
+ rbuff = replace(httpinf.url, "%", "%25");
+ fprintf(sgfpw,"%s %s %s %s\n",rbuff,clientip,username,httpinf.method);
fflush(sgfpw);
+ xfree(rbuff);
/* the chained redirector must return empty line if ok or the redirection url */
chain_ret = (char *)malloc(sizeof(char)*MAX_URL_SIZE);
if (chain_ret != NULL) {
@@ -1628,3 +1632,40 @@ connectINET(char *serverHost, uint16_t serverPort)
return asockd;
}
+
+/**
+ * Searches all occurrences of old into s
+ * and replaces with new
+ */
+char *
+replace(const char *s, const char *old, const char *new)
+{
+ char *ret;
+ int i, count = 0;
+ size_t newlen = strlen(new);
+ size_t oldlen = strlen(old);
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (strstr(&s[i], old) == &s[i]) {
+ count++;
+ i += oldlen - 1;
+ }
+ }
+ ret = malloc(i + 1 + count * (newlen - oldlen));
+ if (ret != NULL) {
+ i = 0;
+ while (*s) {
+ if (strstr(s, old) == s) {
+ strcpy(&ret[i], new);
+ i += newlen;
+ s += oldlen;
+ } else {
+ ret[i++] = *s++;
+ }
+ }
+ ret[i] = '\0';
+ }
+
+ return ret;
+}
+

0 comments on commit 80f7445

Please sign in to comment.