diff options
| author | margarida <margarida@cvs.openbsd.org> | 2002-11-25 14:29:11 +0000 |
|---|---|---|
| committer | margarida <margarida@cvs.openbsd.org> | 2002-11-25 14:29:11 +0000 |
| commit | 0e7d093f0b68f8e0f49dbd22753d01f11f8072cb (patch) | |
| tree | d2902d6f1d22d4d5118fdcc72d8f935682213674 /gnu/usr.bin/lynx/WWW/Library | |
| parent | 7a77fb288ef944d992a0126f1aa0c6c72d1c5137 (diff) | |
Fix URL CRLF Injection bug.
--
A CRLF injection vulnerability has been reported for Lynx that
may allow an attacker to include extra HTTP headers when viewing
web pages.
If Lynx is called from the command line, carriage return and line
feed (CRLF) characters may be included in the specified URL.
These characters are not escaped when the input is used to construct
a HTTP request.
URL: http://www.flora.org/lynx-dev/html/month082002/msg00211.html
henning@ fgs@ pjanzen@ pvalchev@ ok
Diffstat (limited to 'gnu/usr.bin/lynx/WWW/Library')
| -rw-r--r-- | gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c | 50 | ||||
| -rw-r--r-- | gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h | 21 |
2 files changed, 61 insertions, 10 deletions
diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c index 9e75b8db7c3..097f091d40b 100644 --- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c +++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c @@ -669,8 +669,8 @@ PUBLIC char * HTRelative ARGS2( return result; } -/* Escape undesirable characters using % HTEscape() -** ------------------------------------- +/* Escape undesirable characters using % HTEscape() +** ------------------------------------- ** ** This function takes a pointer to a string in which ** some characters may be unacceptable unescaped. @@ -683,7 +683,7 @@ PRIVATE CONST unsigned char isAcceptable[96] = /* Bit 0 xalpha -- see HTFile.h ** Bit 1 xpalpha -- as xalpha but with plus. -** Bit 3 ... path -- as xpalphas but with / +** Bit 2 ... path -- as xpalphas but with / */ /* 0 1 2 3 4 5 6 7 8 9 A B C D E F */ { 0,0,0,0,0,0,0,0,0,0,7,6,0,7,7,4, /* 2x !"#$%&'()*+,-./ */ @@ -713,13 +713,51 @@ PUBLIC char * HTEscape ARGS2( for (q = result, p = str; *p; p++) { unsigned char a = TOASCII(*p); if (!ACCEPTABLE(a)) { - *q++ = HEX_ESCAPE; /* Means hex commming */ + *q++ = HEX_ESCAPE; /* Means hex coming */ *q++ = hex[a >> 4]; *q++ = hex[a & 15]; } else *q++ = *p; } - *q++ = '\0'; /* Terminate */ + *q++ = '\0'; /* Terminate */ + return result; +} + +/* Escape unsafe characters using % HTEscapeUnsafe() +** -------------------------------- +** +** This function takes a pointer to a string in which +** some characters that may be unsafe are unescaped. +** It returns a string which has these characters +** represented by a '%' character followed by two new hex digits. +** +** Unlike HTUnEscape(), this routine returns a malloc'd string. +*/ +#define UNSAFE(ch) (((ch) <= 32 ) || ((ch) >= 127)) + +PUBLIC char *HTEscapeUnsafe ARGS1( + CONST char *, str) +{ + CONST char * p; + char * q; + char * result; + int unacceptable = 0; + for (p = str; *p; p++) + if (UNSAFE((unsigned char)TOASCII(*p))) + unacceptable++; + result = (char *)calloc(1, (p-str + unacceptable + unacceptable + 1)); + if (result == NULL) + outofmem(__FILE__, "HTEscapeUnsafe"); + for (q = result, p = str; *p; p++) { + unsigned char a = TOASCII(*p); + if (UNSAFE(a)) { + *q++ = HEX_ESCAPE; /* Means hex coming */ + *q++ = hex[a >> 4]; + *q++ = hex[a & 15]; + } + else *q++ = *p; + } + *q++ = '\0'; /* Terminate */ return result; } @@ -760,7 +798,7 @@ PUBLIC char * HTEscapeSP ARGS2( *q++ = *p; } } - *q++ = '\0'; /* Terminate */ + *q++ = '\0'; /* Terminate */ return result; } diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h index 2f3c522cb85..46525bb8d9c 100644 --- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h +++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h @@ -113,26 +113,39 @@ extern char * HTRelative PARAMS(( ** ------------------------------------- ** ** This function takes a pointer to a string in which -** some characters may be unacceptable unescaped. +** some characters may be unacceptable are unescaped. ** It returns a string which has these characters ** represented by a '%' character followed by two hex digits. ** -** Unlike HTUnEscape(), this routine returns a malloced string. +** Unlike HTUnEscape(), this routine returns a malloc'd string. */ extern char * HTEscape PARAMS(( CONST char * str, unsigned char mask)); +/* Escape unsafe characters using % HTEscapeUnsafe() +** -------------------------------- +** +** This function takes a pointer to a string in which +** some characters may be that may be unsafe are unescaped. +** It returns a string which has these characters +** represented by a '%' character followed by two hex digits. +** +** Unlike HTUnEscape(), this routine returns a malloc'd string. +*/ +extern char * HTEscapeUnsafe PARAMS(( + CONST char * str)); + /* Escape undesirable characters using % but space to +. HTEscapeSP() ** ----------------------------------------------------- ** ** This function takes a pointer to a string in which -** some characters may be unacceptable unescaped. +** some characters may be unacceptable are unescaped. ** It returns a string which has these characters ** represented by a '%' character followed by two hex digits, ** except that spaces are converted to '+' instead of %2B. ** -** Unlike HTUnEscape(), this routine returns a malloced string. +** Unlike HTUnEscape(), this routine returns a malloc'd string. */ extern char * HTEscapeSP PARAMS(( CONST char * str, |