src - OpenBSD base system

diff options


context:
space:
mode:

author	margarida <margarida@cvs.openbsd.org>	2002-11-25 14:29:11 +0000
committer	margarida <margarida@cvs.openbsd.org>	2002-11-25 14:29:11 +0000
commit	0e7d093f0b68f8e0f49dbd22753d01f11f8072cb (patch)
tree	d2902d6f1d22d4d5118fdcc72d8f935682213674 /gnu/usr.bin
parent	7a77fb288ef944d992a0126f1aa0c6c72d1c5137 (diff)

Fix URL CRLF Injection bug.

-- A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request. URL: http://www.flora.org/lynx-dev/html/month082002/msg00211.html henning@ fgs@ pjanzen@ pvalchev@ ok

Diffstat (limited to 'gnu/usr.bin')

-rw-r--r--

gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c

-rw-r--r--

gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h

-rw-r--r--

gnu/usr.bin/lynx/src/LYMain.c

-rw-r--r--

gnu/usr.bin/lynx/src/LYMainLoop.c

-rw-r--r--

gnu/usr.bin/lynx/src/LYStrings.c

-rw-r--r--

gnu/usr.bin/lynx/src/LYStrings.h

6 files changed, 96 insertions, 23 deletions

diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c
index 9e75b8db7c3..097f091d40b 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.c

@@ -669,8 +669,8 @@ PUBLIC char * HTRelative ARGS2(

return result;

}

-/* Escape undesirable characters using % HTEscape()

-** -------------------------------------

+/* Escape undesirable characters using % HTEscape()

+** -------------------------------------

** This function takes a pointer to a string in which

** some characters may be unacceptable unescaped.

@@ -683,7 +683,7 @@ PRIVATE CONST unsigned char isAcceptable[96] =

/* Bit 0 xalpha -- see HTFile.h

** Bit 1 xpalpha -- as xalpha but with plus.

-** Bit 3 ... path -- as xpalphas but with /

+** Bit 2 ... path -- as xpalphas but with /

/* 0 1 2 3 4 5 6 7 8 9 A B C D E F */

{ 0,0,0,0,0,0,0,0,0,0,7,6,0,7,7,4, /* 2x !"#$%&'()*+,-./ */

@@ -713,13 +713,51 @@ PUBLIC char * HTEscape ARGS2(

for (q = result, p = str; *p; p++) {

unsigned char a = TOASCII(*p);

if (!ACCEPTABLE(a)) {

- *q++ = HEX_ESCAPE; /* Means hex commming */

+ *q++ = HEX_ESCAPE; /* Means hex coming */

*q++ = hex[a >> 4];

*q++ = hex[a & 15];

}

else *q++ = *p;

}

- *q++ = '\0'; /* Terminate */

+ *q++ = '\0'; /* Terminate */

+ return result;

+/* Escape unsafe characters using % HTEscapeUnsafe()

+** --------------------------------

+**

+** This function takes a pointer to a string in which

+** some characters that may be unsafe are unescaped.

+** It returns a string which has these characters

+** represented by a '%' character followed by two new hex digits.

+**

+** Unlike HTUnEscape(), this routine returns a malloc'd string.

+*/

+#define UNSAFE(ch) (((ch) <= 32 ) || ((ch) >= 127))

+PUBLIC char *HTEscapeUnsafe ARGS1(

+ CONST char *, str)

+ CONST char * p;

+ char * q;

+ char * result;

+ int unacceptable = 0;

+ for (p = str; *p; p++)

+ if (UNSAFE((unsigned char)TOASCII(*p)))

+ unacceptable++;

+ result = (char *)calloc(1, (p-str + unacceptable + unacceptable + 1));

+ if (result == NULL)

+ outofmem(__FILE__, "HTEscapeUnsafe");

+ for (q = result, p = str; *p; p++) {

+ unsigned char a = TOASCII(*p);

+ if (UNSAFE(a)) {

+ *q++ = HEX_ESCAPE; /* Means hex coming */

+ *q++ = hex[a >> 4];

+ *q++ = hex[a & 15];

+ }

+ else *q++ = *p;

+ }

+ *q++ = '\0'; /* Terminate */

return result;

}

@@ -760,7 +798,7 @@ PUBLIC char * HTEscapeSP ARGS2(

*q++ = *p;

}

- *q++ = '\0'; /* Terminate */

+ *q++ = '\0'; /* Terminate */

return result;

}

diff --git a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h
index 2f3c522cb85..46525bb8d9c 100644
--- a/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h
+++ b/gnu/usr.bin/lynx/WWW/Library/Implementation/HTParse.h

@@ -113,26 +113,39 @@ extern char * HTRelative PARAMS((

** -------------------------------------

** This function takes a pointer to a string in which

-** some characters may be unacceptable unescaped.

+** some characters may be unacceptable are unescaped.

** It returns a string which has these characters

** represented by a '%' character followed by two hex digits.

-** Unlike HTUnEscape(), this routine returns a malloced string.

+** Unlike HTUnEscape(), this routine returns a malloc'd string.

extern char * HTEscape PARAMS((

CONST char * str,

unsigned char mask));

+/* Escape unsafe characters using % HTEscapeUnsafe()

+** --------------------------------

+**

+** This function takes a pointer to a string in which

+** some characters may be that may be unsafe are unescaped.

+** It returns a string which has these characters

+** represented by a '%' character followed by two hex digits.

+**

+** Unlike HTUnEscape(), this routine returns a malloc'd string.

+*/

+extern char * HTEscapeUnsafe PARAMS((

+ CONST char * str));

/* Escape undesirable characters using % but space to +. HTEscapeSP()

** -----------------------------------------------------

** This function takes a pointer to a string in which

-** some characters may be unacceptable unescaped.

+** some characters may be unacceptable are unescaped.

** It returns a string which has these characters

** represented by a '%' character followed by two hex digits,

** except that spaces are converted to '+' instead of %2B.

-** Unlike HTUnEscape(), this routine returns a malloced string.

+** Unlike HTUnEscape(), this routine returns a malloc'd string.

extern char * HTEscapeSP PARAMS((

CONST char * str,

diff --git a/gnu/usr.bin/lynx/src/LYMain.c b/gnu/usr.bin/lynx/src/LYMain.c
index 136bc6c5890..7f3707c64af 100644
--- a/gnu/usr.bin/lynx/src/LYMain.c
+++ b/gnu/usr.bin/lynx/src/LYMain.c

@@ -796,7 +796,7 @@ PUBLIC int main ARGS2(

AlertSecs = (int)ALERTSECS;

StrAllocCopy(helpfile, HELPFILE);

StrAllocCopy(startfile, STARTFILE);

- LYTrimStartfile(startfile);

+ LYEscapeStartfile(&startfile);

StrAllocCopy(indexfile, DEFAULT_INDEX_FILE);

StrAllocCopy(global_type_map, GLOBAL_MAILCAP);

StrAllocCopy(personal_type_map, PERSONAL_MAILCAP);

@@ -1382,7 +1382,7 @@ PUBLIC int main ARGS2(

if ((cp = getenv("WWW_HOME")) != NULL) {

StrAllocCopy(startfile, cp);

- LYTrimStartfile(startfile);

+ LYEscapeStartfile(&startfile);

}

@@ -2307,7 +2307,7 @@ static int homepage_fun ARGS1(

{

if (next_arg != 0) {

StrAllocCopy(homepage, next_arg);

- LYTrimStartfile(homepage);

+ LYEscapeStartfile(&homepage);

}

return 0;

}

@@ -3228,7 +3228,7 @@ PRIVATE void parse_arg ARGS2(

#endif

{

StrAllocCopy(startfile, arg_name);

- LYTrimStartfile(startfile);

+ LYEscapeStartfile(&startfile);

return;

}

#if EXTENDED_OPTION_LOGIC

diff --git a/gnu/usr.bin/lynx/src/LYMainLoop.c b/gnu/usr.bin/lynx/src/LYMainLoop.c
index 8bdc0ae0edd..31d120938dc 100644
--- a/gnu/usr.bin/lynx/src/LYMainLoop.c
+++ b/gnu/usr.bin/lynx/src/LYMainLoop.c

@@ -3356,9 +3356,7 @@ new_cmd: /*

((links[curdoc.link].type == WWW_FORM_LINK_TYPE)

? links[curdoc.link].form->submit_action

: links[curdoc.link].lname))) {

- if (!LYTrimStartfile(user_input_buffer)) {

- LYRemoveBlanks(user_input_buffer);

- }

+ LYTrimAllStartfile(user_input_buffer);

if (user_input_buffer[0] != '\0') {

goto check_goto_URL;

}

@@ -3428,9 +3426,7 @@ new_cmd: /*

sizeof(user_input_buffer), RECALL)) >= 0) &&

user_input_buffer[0] != '\0' &&

strcmp(user_input_buffer, curdoc.address)) {

- if (!LYTrimStartfile(user_input_buffer)) {

- LYRemoveBlanks(user_input_buffer);

- }

+ LYTrimAllStartfile(user_input_buffer);

if (user_input_buffer[0] != '\0') {

goto check_goto_URL;

}

@@ -3488,9 +3484,7 @@ check_recall:

* Get rid of leading spaces (and any other spaces).

- if (!LYTrimStartfile(user_input_buffer)) {

- LYRemoveBlanks(user_input_buffer);

- }

+ LYTrimAllStartfile(user_input_buffer);

if (*user_input_buffer == '\0' &&

!(recall && (ch == UPARROW || ch == DNARROW))) {

strcpy(user_input_buffer, temp);

diff --git a/gnu/usr.bin/lynx/src/LYStrings.c b/gnu/usr.bin/lynx/src/LYStrings.c
index 0b493dd781a..02796c6c5b5 100644
--- a/gnu/usr.bin/lynx/src/LYStrings.c
+++ b/gnu/usr.bin/lynx/src/LYStrings.c

@@ -1758,6 +1758,30 @@ PUBLIC BOOLEAN LYTrimStartfile ARGS1(

}

+ * Escape unsafe characters in startfile, except for lynx internal URLs.

+ */

+PUBLIC void LYEscapeStartfile ARGS1(

+ char **, buffer)

+ if (!LYTrimStartfile(*buffer)) {

+ char *escaped = HTEscapeUnsafe(*buffer);

+ StrAllocCopy(*buffer, escaped);

+ FREE(escaped);

+ }

+/*

+ * Trim all blanks from startfile, except for lynx internal URLs.

+ */

+PUBLIC void LYTrimAllStartfile ARGS1(

+ char *, buffer)

+ if (!LYTrimStartfile(buffer)) {

+ LYRemoveBlanks(buffer);

+ }

+/*

** Display the current value of the string and allow the user

** to edit it.

diff --git a/gnu/usr.bin/lynx/src/LYStrings.h b/gnu/usr.bin/lynx/src/LYStrings.h
index d3f4b5822cf..cb2acf490dd 100644
--- a/gnu/usr.bin/lynx/src/LYStrings.h
+++ b/gnu/usr.bin/lynx/src/LYStrings.h

@@ -187,6 +187,8 @@ typedef struct _EditFieldData {

extern int lynx_initialize_keymaps NOPARAMS;

#endif

+extern void LYEscapeStartfile PARAMS((

+ char ** buffer));

extern void LYLowerCase PARAMS((

char * buffer));

extern void LYUpperCase PARAMS((

@@ -205,6 +207,8 @@ extern void LYTrimLeading PARAMS((

char * buffer));

extern void LYTrimTrailing PARAMS((

char * buffer));

+extern void LYTrimAllStartfile PARAMS((

+ char * buffer));

extern BOOLEAN LYTrimStartfile PARAMS((

char * buffer));

extern void LYSetupEdit PARAMS((