[Fedora-directory-commits] adminutil/lib/libadminutil form_post.c, 1.8, 1.9
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Mon Mar 3 17:59:47 UTC 2008
- Next message (by thread): [Fedora-directory-commits] adminutil configure.ac, 1.10, 1.11 aclocal.m4, 1.13, 1.14 configure, 1.13, 1.14 missing, 1.12, 1.13 install-sh, 1.12, 1.13 Makefile.in, 1.13, 1.14 depcomp, 1.12, 1.13 config.sub, 1.12, 1.13 config.guess, 1.12, 1.13 compile, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/adminutil/lib/libadminutil
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2494/adminutil/lib/libadminutil
Modified Files:
form_post.c
Log Message:
Resolves: bug 245248
Description: dsgw doesn't escape filename in error message
Reviewed by: nhosoi (Thanks!)
Fix Description: Do 2 passes on the input form data. In the first pass,
convert hex escapes (%xx) to the actual char. In the second pass, if the
char is one of the characters we must escape, convert to the html escape
form (e.g. '&' to "&") then write to output string. This way we can
catch cases where "%xx" evaluates to '&' for example.
Platforms tested: RHEL5 x86_64
Flag day: no
Doc: no
Index: form_post.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/form_post.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- form_post.c 21 Jun 2007 22:32:24 -0000 1.8
+++ form_post.c 3 Mar 2008 17:59:45 -0000 1.9
@@ -140,6 +140,10 @@
}
for (x = 0, y = 0; x < l; x++, y++) {
+ /* first, do the url unescaping, if needed -
+ digit holds the candidate char to write
+ to the output string
+ */
if (('%' == str[x]) && (x < (l - 2))) {
++x;
digit = (str[x] >= 'A' ?
@@ -149,27 +153,31 @@
++x;
digit += (str[x] >= 'A' ?
((str[x] & 0xdf) - 'A') + 10 : (str[x] - '0'));
-
- rstr[y] = digit;
} else if (str[x] == '+') {
- rstr[y] = ' ';
- } else if ('<' == str[x]) {
+ digit = ' ';
+ } else {
+ digit = str[x];
+ }
+
+ /* next, see if digit (the original or the unescaped char)
+ needs to be html encoded */
+ if ('<' == digit) {
memcpy(&rstr[y], "<", 4);
y += 3;
- } else if ('>' == str[x]) {
+ } else if ('>' == digit) {
memcpy(&rstr[y], ">", 4);
y += 3;
- } else if ('&' == str[x]) {
+ } else if ('&' == digit) {
memcpy(&rstr[y], "&", 5);
y += 4;
- } else if ('"' == str[x]) {
+ } else if ('"' == digit) {
memcpy(&rstr[y], """, 6);
y += 5;
- } else if ('\'' == str[x]) {
+ } else if ('\'' == digit) {
memcpy(&rstr[y], "'", 5);
y += 4;
- } else {
- rstr[y] = str[x];
+ } else { /* just write the char to the output string */
+ rstr[y] = digit;
}
}
rstr[y] = '\0';
@@ -327,7 +335,7 @@
char *ans = NULL;
char buf[BUFSIZ];
- while(input[x]) {
+ while(input && input[x]) {
/* We want to get rid of the =, so len, len+1 */
if((!strncmp(input[x], varname, len)) && (*(input[x]+len) == '=')) {
if (!(ans = PL_strdup(input[x] + len + 1))) {
- Next message (by thread): [Fedora-directory-commits] adminutil configure.ac, 1.10, 1.11 aclocal.m4, 1.13, 1.14 configure, 1.13, 1.14 missing, 1.12, 1.13 install-sh, 1.12, 1.13 Makefile.in, 1.13, 1.14 depcomp, 1.12, 1.13 config.sub, 1.12, 1.13 config.guess, 1.12, 1.13 compile, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list