httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hyperreal.org
Subject cvs commit: apachen/src/main util_script.c
Date Wed, 14 Jan 1998 21:01:09 GMT
dgaudet     98/01/14 13:01:09

  Modified:    .        STATUS
               src      CHANGES
               src/main util_script.c
  Log:
  protect environment variable names from having bad things in them
  
  Reviewed by:	Martin Kraemer, Jim Jagielski
  
  Revision  Changes    Path
  1.92      +1 -4      apachen/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /export/home/cvs/apachen/STATUS,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- STATUS	1998/01/14 16:41:34	1.91
  +++ STATUS	1998/01/14 21:01:03	1.92
  @@ -81,12 +81,9 @@
       * Dean's [PATCH] make mod_rewrite use ap_cpystrn
       * Martin's [PORT] Make apache compile & run on an EBCDIC mainframe
       * Martin's [PATCH] mod_speling [300] Multiple Choices bug (Take 2)
  +    * Dean's [PATCH] protect the environment
   
   Available Patches:
  -
  -    * Dean's [PATCH] protect the environment
  -	<Pine.LNX.3.95dg3.980113134932.28203P-100000@twinlark.arctic.org>
  -	Status: Dean +1, Martin +1, Jim +1
   
       * Dean's [PATCH] MONCONTROL for profiling children
   	<Pine.LNX.3.95dg3.980111040040.25014C-100000@twinlark.arctic.org>
  
  
  
  1.566     +9 -0      apachen/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/CHANGES,v
  retrieving revision 1.565
  retrieving revision 1.566
  diff -u -r1.565 -r1.566
  --- CHANGES	1998/01/13 23:29:10	1.565
  +++ CHANGES	1998/01/14 21:01:06	1.566
  @@ -1,5 +1,14 @@
   Changes with Apache 1.3b4
   
  +  *) For maximum portability, the environment passed to CGIs should
  +     only contain variables whose names match the regex
  +     /[a-zA-Z][a-zA-Z0-9_]*/.  This is now enforced by stamping
  +     underscores over any character outside the regex.  This
  +     affects HTTP_* variables, in a way that should be backward
  +     compatible for all the standard headers; and affects variables
  +     set with SetEnv/BrowserMatch and similar directives.
  +     [Dean Gaudet]
  +
     *) Mod_speling returned incorrect HREF's when an ambigous match
        was found. Noticed by <robinton@amtrash.comlink.de> (Soeren Ziehe)
        [robinton@amtrash.comlink.de (Soeren Ziehe), Martin Kraemer]
  
  
  
  1.91      +19 -4     apachen/src/main/util_script.c
  
  Index: util_script.c
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/main/util_script.c,v
  retrieving revision 1.90
  retrieving revision 1.91
  diff -u -r1.90 -r1.91
  --- util_script.c	1998/01/11 20:55:19	1.90
  +++ util_script.c	1998/01/14 21:01:08	1.91
  @@ -129,11 +129,14 @@
       char *res = pstrcat(a, "HTTP_", w, NULL);
       char *cp = res;
   
  -    while (*++cp)
  -	if (*cp == '-')
  +    while (*++cp) {
  +	if (!isalnum(*cp) && *cp != '_') {
   	    *cp = '_';
  -	else
  +	}
  +	else {
   	    *cp = toupper(*cp);
  +	}
  +    }
   
       return res;
   }
  @@ -145,6 +148,7 @@
       char **env = (char **) palloc(p, (env_arr->nelts + 2) * sizeof(char *));
       int i, j;
       char *tz;
  +    char *whack;
   
       j = 0;
       tz = getenv("TZ");
  @@ -153,7 +157,18 @@
       for (i = 0; i < env_arr->nelts; ++i) {
   	if (!elts[i].key)
   	    continue;
  -	env[j++] = pstrcat(p, elts[i].key, "=", elts[i].val, NULL);
  +	env[j] = pstrcat(p, elts[i].key, "=", elts[i].val, NULL);
  +	whack = env[j];
  +	if (isdigit(*whack)) {
  +	    *whack++ = '_';
  +	}
  +	while (*whack != '=') {
  +	    if (!isalnum(*whack) && *whack != '_') {
  +		*whack = '_';
  +	    }
  +	    ++whack;
  +	}
  +	++j;
       }
   
       env[j] = NULL;
  
  
  

Mime
View raw message