get-url debug option insecure

Started by kosh, June 19, 2011, 10:23:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

kosh

June 19, 2011, 10:23:26 AM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Hi.



When url-encoded string to "get-url" is passed, the debug output is not correctly.

It happens because passing the url-encoded string directly to the varPrintf function argument.


Code Select
newLISP v.10.3.0 on BSD IPv4/6 UTF-8, execute 'newlisp -h' for more info.

> (get-url "http://localhost/%E6%97%A5%E6%9C%AC%E8%AA%9E.txt" "header debug")
HEAD /2.371515E-3226                                                                                                %A5-1.239576E-016   ・戟・0X1.45100BFBFB98CP-380C-1.246019E-0180X1.84038918P-1041A5.691031E-270.txt HTTP/1.1
Host: localhost
User-Agent: newLISP v10300
Connection: close

"Date: Sun, 19 Jun 2011 15:40:05 GMTrnServer: Apache/1.3.41 (Unix) mod_tsunami/3.0 mod_gzip/1.3.26.1arnLast-Modified: Wed, 22 Oct 2003 02:25:04 GMTrnETag: "35e800b-1de-3f95ea80;4d229c99"rnAccept-Ranges: bytesrnContent-Length: 478rnConnection: closernContent-Type: text/htmlrnrn"
>


Patch file is here:


Code Select
--- nl-web.c.orig 2011-06-20 00:19:52.000000000 +0900
+++ nl-web.c 2011-06-20 00:22:55.000000000 +0900
@@ -182,7 +182,7 @@
 vasprintf(&buffer, format, argptr);
 
 result = send(sock, buffer, strlen(buffer), NO_FLAGS_SET);
-if(debug) varPrintf(OUT_CONSOLE, buffer);
+if(debug) varPrintf(OUT_CONSOLE, "%s", buffer);
 
 freeMemory(buffer);
 va_end(argptr);
@@ -446,14 +446,14 @@
 
  if(transfer(sock, putPostStr, size) == SOCKET_ERROR)
  return(webError(ERROR_TRANSFER));
- if(debugFlag) varPrintf(OUT_CONSOLE, putPostStr);
+ if(debugFlag) varPrintf(OUT_CONSOLE, "%s", putPostStr);
  }
 else if(type == HTTP_POST)
  {
  sendf(sock, debugFlag, "Content-type: %srnContent-length: %drnrn", contentType, size);
  if(transfer(sock, putPostStr, size) == SOCKET_ERROR)
  return(webError(ERROR_TRANSFER));
- if(debugFlag) varPrintf(OUT_CONSOLE, putPostStr);
+ if(debugFlag) varPrintf(OUT_CONSOLE, "%s", putPostStr);
  }
 else /* HTTP_GET, HTTP_DELETE */
  sendf(sock, debugFlag, "rn");
@@ -1023,7 +1023,7 @@
  close(getSocket(IOchannel));
  }
 else
- varPrintf(OUT_CONSOLE, content);
+ varPrintf(OUT_CONSOLE, "%s", content);
 return;
 #endif
 #ifdef DEBUGHTTP

Lutz

#1
June 19, 2011, 10:18:18 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Thank you very much Kosh!



It's fixed here:



http://www.newlisp.org/downloads/development/inprogress/">http://www.newlisp.org/downloads/develo ... nprogress/">http://www.newlisp.org/downloads/development/inprogress/

kosh

#2
July 11, 2011, 11:05:53 AM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Thanks Lutz. fixed newlisp working fine :)



I found similar problem in 'get-url' with custom header.




Code Select
--- nl-web.orig.c 2011-07-12 01:48:20.000000000 +0900
+++ nl-web.c 2011-07-12 01:40:20.000000000 +0900
@@ -427,7 +427,7 @@
 
 /* send optional custom header entries */
 if (customHeader != NULL)
-    sendf(sock, debugFlag, customHeader);
+    sendf(sock, debugFlag, "%s", customHeader);
 else
  {
  sendf(sock, debugFlag, "User-Agent: newLISP v%drn", version);

Regards.

Lutz

#3
July 11, 2011, 01:27:08 PM Last Edit: December 31, 1969, 04:00:00 PM by Guest
Thank you very much again Kosh!



Fixed here:



http://www.newlisp.org/downloads/development/inprogress/">http://www.newlisp.org/downloads/develo ... nprogress/">http://www.newlisp.org/downloads/development/inprogress/
Print
Go Up Pages1
User actions