diff options
author | margarida <margarida@cvs.openbsd.org> | 2002-11-25 14:29:11 +0000 |
---|---|---|
committer | margarida <margarida@cvs.openbsd.org> | 2002-11-25 14:29:11 +0000 |
commit | 0e7d093f0b68f8e0f49dbd22753d01f11f8072cb (patch) | |
tree | d2902d6f1d22d4d5118fdcc72d8f935682213674 /gnu/usr.bin/lynx | |
parent | 7a77fb288ef944d992a0126f1aa0c6c72d1c5137 (diff) |
Fix URL CRLF Injection bug.
--
A CRLF injection vulnerability has been reported for Lynx that
may allow an attacker to include extra HTTP headers when viewing
web pages.
If Lynx is called from the command line, carriage return and line
feed (CRLF) characters may be included in the specified URL.
These characters are not escaped when the input is used to construct
a HTTP request.
URL: http://www.flora.org/lynx-dev/html/month082002/msg00211.html
henning@ fgs@ pjanzen@ pvalchev@ ok
Diffstat (limited to 'gnu/usr.bin/lynx')
-rw-r--r-- | gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c | 50 | ||||
-rw-r--r-- | gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h | 21 | ||||
-rw-r--r-- | gnu/usr.bin/lynx/src/LYMain.c | 8 | ||||
-rw-r--r-- | gnu/usr.bin/lynx/src/LYMainLoop.c | 12 | ||||
-rw-r--r-- | gnu/usr.bin/lynx/src/LYStrings.c | 24 | ||||
-rw-r--r-- | gnu/usr.bin/lynx/src/LYStrings.h | 4 |
6 files changed, 96 insertions, 23 deletions
diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c index 9e75b8db7c3..097f091d40b 100644 --- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c +++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c @@ -669,8 +669,8 @@ PUBLIC char * HTRelative ARGS2( return result; } -/* Escape undesirable characters using % HTEscape() -** ------------------------------------- +/* Escape undesirable characters using % HTEscape() +** ------------------------------------- ** ** This function takes a pointer to a string in which ** some characters may be unacceptable unescaped. @@ -683,7 +683,7 @@ PRIVATE CONST unsigned char isAcceptable[96] = /* Bit 0 xalpha -- see HTFile.h ** Bit 1 xpalpha -- as xalpha but with plus. -** Bit 3 ... path -- as xpalphas but with / +** Bit 2 ... path -- as xpalphas but with / */ /* 0 1 2 3 4 5 6 7 8 9 A B C D E F */ { 0,0,0,0,0,0,0,0,0,0,7,6,0,7,7,4, /* 2x !"#$%&'()*+,-./ */ @@ -713,13 +713,51 @@ PUBLIC char * HTEscape ARGS2( for (q = result, p = str; *p; p++) { unsigned char a = TOASCII(*p); if (!ACCEPTABLE(a)) { - *q++ = HEX_ESCAPE; /* Means hex commming */ + *q++ = HEX_ESCAPE; /* Means hex coming */ *q++ = hex[a >> 4]; *q++ = hex[a & 15]; } else *q++ = *p; } - *q++ = '\0'; /* Terminate */ + *q++ = '\0'; /* Terminate */ + return result; +} + +/* Escape unsafe characters using % HTEscapeUnsafe() +** -------------------------------- +** +** This function takes a pointer to a string in which +** some characters that may be unsafe are unescaped. +** It returns a string which has these characters +** represented by a '%' character followed by two new hex digits. +** +** Unlike HTUnEscape(), this routine returns a malloc'd string. +*/ +#define UNSAFE(ch) (((ch) <= 32 ) || ((ch) >= 127)) + +PUBLIC char *HTEscapeUnsafe ARGS1( + CONST char *, str) +{ + CONST char * p; + char * q; + char * result; + int unacceptable = 0; + for (p = str; *p; p++) + if (UNSAFE((unsigned char)TOASCII(*p))) + unacceptable++; + result = (char *)calloc(1, (p-str + unacceptable + unacceptable + 1)); + if (result == NULL) + outofmem(__FILE__, "HTEscapeUnsafe"); + for (q = result, p = str; *p; p++) { + unsigned char a = TOASCII(*p); + if (UNSAFE(a)) { + *q++ = HEX_ESCAPE; /* Means hex coming */ + *q++ = hex[a >> 4]; + *q++ = hex[a & 15]; + } + else *q++ = *p; + } + *q++ = '\0'; /* Terminate */ return result; } @@ -760,7 +798,7 @@ PUBLIC char * HTEscapeSP ARGS2( *q++ = *p; } } - *q++ = '\0'; /* Terminate */ + *q++ = '\0'; /* Terminate */ return result; } diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h index 2f3c522cb85..46525bb8d9c 100644 --- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h +++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h @@ -113,26 +113,39 @@ extern char * HTRelative PARAMS(( ** ------------------------------------- ** ** This function takes a pointer to a string in which -** some characters may be unacceptable unescaped. +** some characters may be unacceptable are unescaped. ** It returns a string which has these characters ** represented by a '%' character followed by two hex digits. ** -** Unlike HTUnEscape(), this routine returns a malloced string. +** Unlike HTUnEscape(), this routine returns a malloc'd string. */ extern char * HTEscape PARAMS(( CONST char * str, unsigned char mask)); +/* Escape unsafe characters using % HTEscapeUnsafe() +** -------------------------------- +** +** This function takes a pointer to a string in which +** some characters may be that may be unsafe are unescaped. +** It returns a string which has these characters +** represented by a '%' character followed by two hex digits. +** +** Unlike HTUnEscape(), this routine returns a malloc'd string. +*/ +extern char * HTEscapeUnsafe PARAMS(( + CONST char * str)); + /* Escape undesirable characters using % but space to +. HTEscapeSP() ** ----------------------------------------------------- ** ** This function takes a pointer to a string in which -** some characters may be unacceptable unescaped. +** some characters may be unacceptable are unescaped. ** It returns a string which has these characters ** represented by a '%' character followed by two hex digits, ** except that spaces are converted to '+' instead of %2B. ** -** Unlike HTUnEscape(), this routine returns a malloced string. +** Unlike HTUnEscape(), this routine returns a malloc'd string. */ extern char * HTEscapeSP PARAMS(( CONST char * str, diff --git a/gnu/usr.bin/lynx/src/LYMain.c b/gnu/usr.bin/lynx/src/LYMain.c index 136bc6c5890..7f3707c64af 100644 --- a/gnu/usr.bin/lynx/src/LYMain.c +++ b/gnu/usr.bin/lynx/src/LYMain.c @@ -796,7 +796,7 @@ PUBLIC int main ARGS2( AlertSecs = (int)ALERTSECS; StrAllocCopy(helpfile, HELPFILE); StrAllocCopy(startfile, STARTFILE); - LYTrimStartfile(startfile); + LYEscapeStartfile(&startfile); StrAllocCopy(indexfile, DEFAULT_INDEX_FILE); StrAllocCopy(global_type_map, GLOBAL_MAILCAP); StrAllocCopy(personal_type_map, PERSONAL_MAILCAP); @@ -1382,7 +1382,7 @@ PUBLIC int main ARGS2( */ if ((cp = getenv("WWW_HOME")) != NULL) { StrAllocCopy(startfile, cp); - LYTrimStartfile(startfile); + LYEscapeStartfile(&startfile); } /* @@ -2307,7 +2307,7 @@ static int homepage_fun ARGS1( { if (next_arg != 0) { StrAllocCopy(homepage, next_arg); - LYTrimStartfile(homepage); + LYEscapeStartfile(&homepage); } return 0; } @@ -3228,7 +3228,7 @@ PRIVATE void parse_arg ARGS2( #endif { StrAllocCopy(startfile, arg_name); - LYTrimStartfile(startfile); + LYEscapeStartfile(&startfile); return; } #if EXTENDED_OPTION_LOGIC diff --git a/gnu/usr.bin/lynx/src/LYMainLoop.c b/gnu/usr.bin/lynx/src/LYMainLoop.c index 8bdc0ae0edd..31d120938dc 100644 --- a/gnu/usr.bin/lynx/src/LYMainLoop.c +++ b/gnu/usr.bin/lynx/src/LYMainLoop.c @@ -3356,9 +3356,7 @@ new_cmd: /* ((links[curdoc.link].type == WWW_FORM_LINK_TYPE) ? links[curdoc.link].form->submit_action : links[curdoc.link].lname))) { - if (!LYTrimStartfile(user_input_buffer)) { - LYRemoveBlanks(user_input_buffer); - } + LYTrimAllStartfile(user_input_buffer); if (user_input_buffer[0] != '\0') { goto check_goto_URL; } @@ -3428,9 +3426,7 @@ new_cmd: /* sizeof(user_input_buffer), RECALL)) >= 0) && user_input_buffer[0] != '\0' && strcmp(user_input_buffer, curdoc.address)) { - if (!LYTrimStartfile(user_input_buffer)) { - LYRemoveBlanks(user_input_buffer); - } + LYTrimAllStartfile(user_input_buffer); if (user_input_buffer[0] != '\0') { goto check_goto_URL; } @@ -3488,9 +3484,7 @@ check_recall: /* * Get rid of leading spaces (and any other spaces). */ - if (!LYTrimStartfile(user_input_buffer)) { - LYRemoveBlanks(user_input_buffer); - } + LYTrimAllStartfile(user_input_buffer); if (*user_input_buffer == '\0' && !(recall && (ch == UPARROW || ch == DNARROW))) { strcpy(user_input_buffer, temp); diff --git a/gnu/usr.bin/lynx/src/LYStrings.c b/gnu/usr.bin/lynx/src/LYStrings.c index 0b493dd781a..02796c6c5b5 100644 --- a/gnu/usr.bin/lynx/src/LYStrings.c +++ b/gnu/usr.bin/lynx/src/LYStrings.c @@ -1758,6 +1758,30 @@ PUBLIC BOOLEAN LYTrimStartfile ARGS1( } /* + * Escape unsafe characters in startfile, except for lynx internal URLs. + */ +PUBLIC void LYEscapeStartfile ARGS1( + char **, buffer) +{ + if (!LYTrimStartfile(*buffer)) { + char *escaped = HTEscapeUnsafe(*buffer); + StrAllocCopy(*buffer, escaped); + FREE(escaped); + } +} + +/* + * Trim all blanks from startfile, except for lynx internal URLs. + */ +PUBLIC void LYTrimAllStartfile ARGS1( + char *, buffer) +{ + if (!LYTrimStartfile(buffer)) { + LYRemoveBlanks(buffer); + } +} + +/* ** Display the current value of the string and allow the user ** to edit it. */ diff --git a/gnu/usr.bin/lynx/src/LYStrings.h b/gnu/usr.bin/lynx/src/LYStrings.h index d3f4b5822cf..cb2acf490dd 100644 --- a/gnu/usr.bin/lynx/src/LYStrings.h +++ b/gnu/usr.bin/lynx/src/LYStrings.h @@ -187,6 +187,8 @@ typedef struct _EditFieldData { extern int lynx_initialize_keymaps NOPARAMS; #endif +extern void LYEscapeStartfile PARAMS(( + char ** buffer)); extern void LYLowerCase PARAMS(( char * buffer)); extern void LYUpperCase PARAMS(( @@ -205,6 +207,8 @@ extern void LYTrimLeading PARAMS(( char * buffer)); extern void LYTrimTrailing PARAMS(( char * buffer)); +extern void LYTrimAllStartfile PARAMS(( + char * buffer)); extern BOOLEAN LYTrimStartfile PARAMS(( char * buffer)); extern void LYSetupEdit PARAMS(( |