Attachment 124968 Details for Bug 185442 – 07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff

07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff

07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff (text/plain), 3.09 KB, created by Thilo Bangert (RETIRED) (RETIRED) on 2007-07-15 22:02:19 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Thilo Bangert (RETIRED) (RETIRED)

Created: 2007-07-15 22:02:19 UTC

Size: 3.09 KB

patch

obsolete

>Index: src/request.c
>===================================================================
>--- src/request.c	(revision 1868)
>+++ src/request.c	(revision 1870)
>@@ -284,8 +284,6 @@
> 
> 	int done = 0;
> 
>-	data_string *ds = NULL;
>-
> 	/*
> 	 * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$"
> 	 * Option : "^([-a-zA-Z]+): (.+)$"
>@@ -715,12 +713,24 @@
> 			switch(*cur) {
> 			case '\r':
> 				if (con->parse_request->ptr[i+1] == '\n') {
>+					data_string *ds = NULL;
>+
> 					/* End of Headerline */
> 					con->parse_request->ptr[i] = '\0';
> 					con->parse_request->ptr[i+1] = '\0';
> 
> 					if (in_folding) {
>-						if (!ds) {
>+						buffer *key_b;
>+						/**
>+						 * we use a evil hack to handle the line-folding
>+						 * 
>+						 * As array_insert_unique() deletes 'ds' in the case of a duplicate
>+						 * ds points somewhere and we get a evil crash. As a solution we keep the old
>+						 * "key" and get the current value from the hash and append us
>+						 *
>+						 * */
>+
>+						if (!key || !key_len) {
> 							/* 400 */
> 
> 							if (srv->srvconf.log_request_header_on_error) {
>@@ -737,7 +747,15 @@
> 							con->response.keep_alive = 0;
> 							return 0;
> 						}
>-						buffer_append_string(ds->value, value);
>+
>+						key_b = buffer_init();
>+						buffer_copy_string_len(key_b, key, key_len);
>+
>+						if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) {
>+							buffer_append_string(ds->value, value);
>+						}
>+
>+						buffer_free(key_b);
> 					} else {
> 						int s_len;
> 						key = con->parse_request->ptr + first;
>@@ -969,7 +987,12 @@
> 					first = i+1;
> 					is_key = 1;
> 					value = 0;
>-					key_len = 0;
>+#if 0
>+					/**
>+					 * for Bug 1230 keep the key_len a live
>+					 */
>+					key_len = 0; 
>+#endif
> 					in_folding = 0;
> 				} else {
> 					if (srv->srvconf.log_request_header_on_error) {
>Index: tests/core-request.t
>===================================================================
>--- tests/core-request.t	(revision 1868)
>+++ tests/core-request.t	(revision 1870)
>@@ -8,7 +8,7 @@
> 
> use strict;
> use IO::Socket;
>-use Test::More tests => 33;
>+use Test::More tests => 36;
> use LightyTest;
> 
> my $tf = LightyTest->new();
>@@ -273,6 +273,38 @@
> $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
> ok($tf->handle_http($t) == 0, 'uppercase filenames');
> 
>+$t->{REQUEST}  = ( <<EOF
>+GET / HTTP/1.0
>+Location: foo
>+Location: foobar
>+  baz
>+EOF
>+ );
>+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
>+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping');
> 
>+$t->{REQUEST}  = ( <<EOF
>+GET / HTTP/1.0
>+Location: 
>+Location: foobar
>+  baz
>+EOF
>+ );
>+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
>+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 2');
>+
>+$t->{REQUEST}  = ( <<EOF
>+GET / HTTP/1.0
>+A: 
>+Location: foobar
>+  baz
>+EOF
>+ );
>+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
>+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 3');
>+
>+
>+
>+
> ok($tf->stop_proc == 0, "Stopping lighttpd");
>

Actions: View

Attachments on bug 185442: 124941 | 124943 | 124944 | 124966 | 124968 | 124969 | 124971