httpd-apreq-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject svn commit: r161902 - in httpd/apreq/trunk: CHANGES glue/perl/xsbuilder/apreq_xs_postperl.h
Date Tue, 19 Apr 2005 14:55:41 GMT
Author: joes
Date: Tue Apr 19 07:55:40 2005
New Revision: 161902

URL: http://svn.apache.org/viewcvs?view=rev&rev=161902
Log:
Setting the UTF8 flag on non-utf8 data is a security hole.
Let's see if coupling that decision with taintedness helps
resolve this issue.

Modified:
    httpd/apreq/trunk/CHANGES
    httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h

Modified: httpd/apreq/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/apreq/trunk/CHANGES?view=diff&r1=161901&r2=161902
==============================================================================
--- httpd/apreq/trunk/CHANGES (original)
+++ httpd/apreq/trunk/CHANGES Tue Apr 19 07:55:40 2005
@@ -7,8 +7,9 @@
 - C API [joes]
   Add apreq_cp1252_to_utf8().
 
-- C API [joes]
-  Add charset support for params.
+- C. Perl API [joes]
+  Add charset support for params and couple the SvUTF8 flag
+  to the param's taint flag.
 
 - C API [joes]
   Replace v->size with v->nlen + v->dlen.

Modified: httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h
URL: http://svn.apache.org/viewcvs/httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h?view=diff&r1=161901&r2=161902
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h (original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h Tue Apr 19 07:55:40 2005
@@ -146,7 +146,11 @@
         SV *rv = newSVpvn(p->v.data, p->v.dlen);
         if (apreq_param_is_tainted(p))
             SvTAINTED_on(rv);
-        if (apreq_param_charset_get(p) == APREQ_CHARSET_UTF8)
+        else if (apreq_param_charset_get(p) == APREQ_CHARSET_UTF8)
+            /* Setting the UTF8 flag on non-utf8 data is a security hole.
+             * Let's see if coupling that decision with taintedness helps
+             * resolve this issue.
+             */
             SvUTF8_on(rv);
         return rv;
     }



Mime
View raw message