httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: util.c hole and speed of security patch release
Date Thu, 25 Apr 1996 18:27:04 GMT
On Thu, 25 Apr 1996, Dirk.vanGulik wrote:
> I am not sure if I am right, but if I try plugging that hole
> I seem to loose the newlines in my forms, i.e. from a textarea
> or some fancy hidden field. Insofar as I can see this is not
> a hole but an essential feature; and it is bad cgi programming 
> which might cause problems.
> 
> Or am I editing the wrong escape sequence ?

Talking about src/util.c:

Don't the newlines get encoded to %0A by the client before submission?  
If so, then stripping '\n' before passing data on to the CGI script 
should be fine, because the decoding from %0A to '\n' happens in the CGI 
script itself, and only the CGI script can check it for validity.

cgi-src/util.c filters out '\x0A', which should be the same thing as '\n' 
- and if this happens *before* the hex-decoding of the 
"x-www-url-encoded" data to regular ascii, then there should be no 
problem, since \n is not a valid character in that stream and can be 
removed.  If it happens afterwards, then yes, you could lost that data, 
but "escape_shell_cmd" does not strike me as something which should be 
run on data not passed to a shell command line anyways.

Am I talking out of my ass here?  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/


Mime
View raw message