Permalink
Browse files

Add a workaround for a squidGuard bug that unescape the URL and send …

…it back unescaped. This could conduct in wrong result and ssquidclamav crash especially with URL containing the %0D or %0A character. John Xue
  • Loading branch information...
darold committed Jul 24, 2012
1 parent 5806d10 commit 80f74451f628264d1d9a1f1c0bbcebc932ba5e00
Showing with 43 additions and 2 deletions.
  1. +43 −2 src/squidclamav.c
View
@@ -133,7 +133,7 @@ void cfgreload_command(char *, int, char **);
int create_pipe(char *command);
int dconnect (void);
int connectINET(char *serverHost, uint16_t serverPort);
char * replace(const char *s, const char *old, const char *new);
/* ----------------------------------------------------- */
@@ -365,10 +365,14 @@ int squidclamav_check_preview_handler(char *preview_data, int preview_data_len,
/* Check URL header against squidGuard */
if (usepipe == 1) {
char *rbuff = NULL;
ci_debug_printf(2, "DEBUG squidclamav_check_preview_handler: Sending request to chained program: %s\n", squidguard);
ci_debug_printf(2, "DEBUG squidclamav_check_preview_handler: Request: %s %s %s %s\n", httpinf.url,clientip,username,httpinf.method);
fprintf(sgfpw,"%s %s %s %s\n",httpinf.url,clientip,username,httpinf.method);
/* escaping escaped character to prevent unescaping by squidguard */
rbuff = replace(httpinf.url, "%", "%25");
fprintf(sgfpw,"%s %s %s %s\n",rbuff,clientip,username,httpinf.method);
fflush(sgfpw);
xfree(rbuff);
/* the chained redirector must return empty line if ok or the redirection url */
chain_ret = (char *)malloc(sizeof(char)*MAX_URL_SIZE);
if (chain_ret != NULL) {
@@ -1628,3 +1632,40 @@ connectINET(char *serverHost, uint16_t serverPort)
return asockd;
}
/**
* Searches all occurrences of old into s
* and replaces with new
*/
char *
replace(const char *s, const char *old, const char *new)
{
char *ret;
int i, count = 0;
size_t newlen = strlen(new);
size_t oldlen = strlen(old);
for (i = 0; s[i] != '\0'; i++) {
if (strstr(&s[i], old) == &s[i]) {
count++;
i += oldlen - 1;
}
}
ret = malloc(i + 1 + count * (newlen - oldlen));
if (ret != NULL) {
i = 0;
while (*s) {
if (strstr(s, old) == s) {
strcpy(&ret[i], new);
i += newlen;
s += oldlen;
} else {
ret[i++] = *s++;
}
}
ret[i] = '\0';
}
return ret;
}

0 comments on commit 80f7445

Please sign in to comment.