httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: [PATCH] fix mod_info output corruption
Date Sun, 26 Jan 1997 00:49:09 GMT
Oops.  +1.  I think it is worthwhile before the beta.

On Sat, 25 Jan 1997, Dean Gaudet wrote:

> This bug was added during the buffer overflow patch.  mod_info was
> printing garbage whenever it encountered < or >.  This patch fixes that
> and also allows it to escape & should it ever need to.  (We should
> probably have a standard escaping function.) 
> 
> Dean
> 
> Index: mod_info.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/mod_info.c,v
> retrieving revision 1.10
> diff -c -3 -r1.10 mod_info.c
> *** mod_info.c	1997/01/20 04:28:14	1.10
> --- mod_info.c	1997/01/26 00:27:24
> ***************
> *** 89,107 ****
>   char *mod_info_html_cmd_string(char *string) {
>   	char *s,*t;
>   	static char ret[256];  /* What is the max size of a command? */
>   
>   	ret[0]='\0';
>   	s = string;
>   	t=ret;	
> ! 	while((*s) && (strlen(t) < 256)) {
>   		if(*s=='<') { 
> ! 			strncat(t,"&lt;", sizeof(ret)-strlen(ret));
>   			t+=4*sizeof(char);
>   		} else if(*s=='>') {
> ! 			strncat(t,"&gt;", sizeof(ret)-strlen(ret));
>   			t+=4*sizeof(char);
>   		}
> - 		else *t++=*s;
>   		s++;
>   	}
>   	*t='\0';
> --- 89,113 ----
>   char *mod_info_html_cmd_string(char *string) {
>   	char *s,*t;
>   	static char ret[256];  /* What is the max size of a command? */
> + 	char *end_ret;
>   
>   	ret[0]='\0';
>   	s = string;
>   	t=ret;	
> ! 	end_ret = t + sizeof(ret);
> ! 	while((*s) && ((t-ret) < sizeof(ret))) {
>   		if(*s=='<') { 
> ! 			strncpy(t,"&lt;", end_ret - t);
>   			t+=4*sizeof(char);
>   		} else if(*s=='>') {
> ! 			strncpy(t,"&gt;", end_ret - t);
>   			t+=4*sizeof(char);
> + 		} else if(*s=='&') {
> + 		    	strncpy(t,"&amp;", end_ret - t);
> + 			t+=5*sizeof(char);
> + 		} else {
> + 		    *t++=*s;
>   		}
>   		s++;
>   	}
>   	*t='\0';
> 
> 


Mime
View raw message