Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 124968 Details for
Bug 185442
www-servers/lighttpd < 1.4.16 Multiple issues (CVE-2007-39{46,47,48,49,50}, CVE-2007-2841)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff
07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff (text/plain), 3.09 KB, created by
Thilo Bangert (RETIRED) (RETIRED)
on 2007-07-15 22:02:19 UTC
(
hide
)
Description:
07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff
Filename:
MIME Type:
Creator:
Thilo Bangert (RETIRED) (RETIRED)
Created:
2007-07-15 22:02:19 UTC
Size:
3.09 KB
patch
obsolete
>Index: src/request.c >=================================================================== >--- src/request.c (revision 1868) >+++ src/request.c (revision 1870) >@@ -284,8 +284,6 @@ > > int done = 0; > >- data_string *ds = NULL; >- > /* > * Request: "^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$" > * Option : "^([-a-zA-Z]+): (.+)$" >@@ -715,12 +713,24 @@ > switch(*cur) { > case '\r': > if (con->parse_request->ptr[i+1] == '\n') { >+ data_string *ds = NULL; >+ > /* End of Headerline */ > con->parse_request->ptr[i] = '\0'; > con->parse_request->ptr[i+1] = '\0'; > > if (in_folding) { >- if (!ds) { >+ buffer *key_b; >+ /** >+ * we use a evil hack to handle the line-folding >+ * >+ * As array_insert_unique() deletes 'ds' in the case of a duplicate >+ * ds points somewhere and we get a evil crash. As a solution we keep the old >+ * "key" and get the current value from the hash and append us >+ * >+ * */ >+ >+ if (!key || !key_len) { > /* 400 */ > > if (srv->srvconf.log_request_header_on_error) { >@@ -737,7 +747,15 @@ > con->response.keep_alive = 0; > return 0; > } >- buffer_append_string(ds->value, value); >+ >+ key_b = buffer_init(); >+ buffer_copy_string_len(key_b, key, key_len); >+ >+ if (NULL != (ds = (data_string *)array_get_element(con->request.headers, key_b->ptr))) { >+ buffer_append_string(ds->value, value); >+ } >+ >+ buffer_free(key_b); > } else { > int s_len; > key = con->parse_request->ptr + first; >@@ -969,7 +987,12 @@ > first = i+1; > is_key = 1; > value = 0; >- key_len = 0; >+#if 0 >+ /** >+ * for Bug 1230 keep the key_len a live >+ */ >+ key_len = 0; >+#endif > in_folding = 0; > } else { > if (srv->srvconf.log_request_header_on_error) { >Index: tests/core-request.t >=================================================================== >--- tests/core-request.t (revision 1868) >+++ tests/core-request.t (revision 1870) >@@ -8,7 +8,7 @@ > > use strict; > use IO::Socket; >-use Test::More tests => 33; >+use Test::More tests => 36; > use LightyTest; > > my $tf = LightyTest->new(); >@@ -273,6 +273,38 @@ > $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; > ok($tf->handle_http($t) == 0, 'uppercase filenames'); > >+$t->{REQUEST} = ( <<EOF >+GET / HTTP/1.0 >+Location: foo >+Location: foobar >+ baz >+EOF >+ ); >+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; >+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping'); > >+$t->{REQUEST} = ( <<EOF >+GET / HTTP/1.0 >+Location: >+Location: foobar >+ baz >+EOF >+ ); >+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; >+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 2'); >+ >+$t->{REQUEST} = ( <<EOF >+GET / HTTP/1.0 >+A: >+Location: foobar >+ baz >+EOF >+ ); >+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; >+ok($tf->handle_http($t) == 0, '#1232 - duplicate headers with line-wrapping - test 3'); >+ >+ >+ >+ > ok($tf->stop_proc == 0, "Stopping lighttpd"); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 185442
:
124941
|
124943
|
124944
|
124966
| 124968 |
124969
|
124971