[project @ 2004-05-01 21:37:29 by joty]

fetch_curl_header() : better protection against malformed header lines; realm data line is now properly terminated with NUL character. svn path=/import/netsurf/; revision=810
2024-11-22 22:41:30 +03:00 · 2004-05-01 21:37:29 +00:00 · 2004-05-01 21:37:29 +00:00 · 49ac08e2e4
commit 49ac08e2e4
parent dcfa1164d3
1 changed files with 23 additions and 12 deletions
--- a/content/fetch.c
+++ b/content/fetch.c
@ -609,33 +609,44 @@ size_t fetch_curl_header(char * data, size_t size, size_t nmemb, struct fetch *f
 			LOG(("malloc failed"));
 			return size;
 		}
-		for (i = 9; data[i] == ' ' || data[i] == '\t'; i++)
-			;
+		for (i = 9; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+			/* */;
 		strncpy(f->location, data + i, size - i);
-		for (i = size - i - 1; f->location[i] == ' ' ||
+		f->location[size - i] = '\0';
+		for (i = size - i - 1; i >= 0 &&
+				(f->location[i] == ' ' ||
 				f->location[i] == '\t' ||
 				f->location[i] == '\r' ||
-				f->location[i] == '\n'; i--)
+				f->location[i] == '\n'); i--)
 			f->location[i] = '\0';
 	} else if (15 < size && strncasecmp(data, "Content-Length:", 15) == 0) {
 		/* extract Content-Length header */
-		for (i = 15; data[i] == ' ' || data[i] == '\t'; i++)
-			;
+		for (i = 15; i < size && (data[i] == ' ' || data[i] == '\t'); i++)
+			/* */;
 		if ('0' <= data[i] && data[i] <= '9')
 			f->content_length = atol(data + i);
 #ifdef WITH_AUTH
-	} else if (16 < size && strncasecmp(data, "WWW-Authenticate",16) == 0) {
-		/* extract Realm from WWW-Authenticate header */
+	} else if (16 < size && strncasecmp(data, "WWW-Authenticate", 16) == 0) {
+		/* extract the first Realm from WWW-Authenticate header */
 		free(f->realm);
 		f->realm = malloc(size);
 		if (!f->realm) {
 			LOG(("malloc failed"));
 			return size;
 		}
-		/** \todo  this code looks dangerous */
-	        for (i=16;(unsigned int)i!=strlen(data);i++)
-	               if(data[i]=='=')break;
-	        strncpy(f->realm, data+i+2, size-i-5);
+		for (i = 16; i < size && data[i] != '='; i++)
+			/* */;
+		while (i < size && data[++i] == '"')
+			/* */;
+		strncpy(f->realm, data + i, size - i);
+		f->realm[size - i] = '\0';
+		for (i = size - i - 1; i >= 0 &&
+				(f->realm[i] == ' ' ||
+				f->realm[i] == '"' ||
+				f->realm[i] == '\t' ||
+				f->realm[i] == '\r' ||
+				f->realm[i] == '\n'); --i)
+			f->realm[i] = '\0';
 #endif
 	}
 	return size;