From cb98017ae9dabe7e9ddb5ca7ed32e42a9ad16078 Mon Sep 17 00:00:00 2001 From: Peter Pentchev Date: Mon, 27 Oct 2003 12:18:06 +0000 Subject: Fix the vulnerabilities reported in Chris Leishman's BugTraq post of 2003/01/07, and a couple of other ones while I'm here. This could still benefit from an in-depth audit, though. Bump PORTREVISION, unquote COMMENT, remove the FORBIDDEN tag. --- www/cgihtml/files/patch-aa | 114 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 111 insertions(+), 3 deletions(-) (limited to 'www/cgihtml/files') diff --git a/www/cgihtml/files/patch-aa b/www/cgihtml/files/patch-aa index c9a4210cdd20..f208f6cfb91b 100644 --- a/www/cgihtml/files/patch-aa +++ b/www/cgihtml/files/patch-aa @@ -1,6 +1,114 @@ ---- cgi-lib.c Wed Apr 11 20:03:57 2001 -+++ cgi-lib.c Wed Apr 11 20:04:20 2001 -@@ -529,9 +529,9 @@ +Index: cgi-lib.c +=================================================================== +RCS file: /home/cvs/ringlet/c/contrib/www/cgihtml/cgi-lib.c,v +retrieving revision 1.1.1.1 +retrieving revision 1.6 +diff -u -r1.1.1.1 -r1.6 +--- cgi-lib.c 27 Oct 2003 09:39:04 -0000 1.1.1.1 ++++ cgi-lib.c 27 Oct 2003 12:07:00 -0000 1.6 +@@ -17,6 +17,10 @@ + + #ifdef WINDOWS + #include ++#define mktemp _mktemp ++#define snprintf _snprintf ++#else ++#include + #endif + + #include "cgi-lib.h" +@@ -87,11 +91,11 @@ + + char *get_POST() + { +- unsigned int content_length; ++ size_t content_length; + char *buffer; + + if (CONTENT_LENGTH != NULL) { +- content_length = atoi(CONTENT_LENGTH); ++ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10); + buffer = (char *)malloc(sizeof(char) * content_length + 1); + if (fread(buffer,sizeof(char),content_length,stdin) != content_length) { + /* consistency error. */ +@@ -202,7 +206,7 @@ + + int parse_form_encoded(llist* entries) + { +- long content_length; ++ size_t content_length, fnsize; + entrytype entry; + node* window; + FILE *uploadfile; +@@ -220,7 +224,7 @@ + _fmode = BINARY; /* default all file I/O as binary */ + #endif + if (CONTENT_LENGTH != NULL) +- content_length = atol(CONTENT_LENGTH); ++ content_length = (size_t)strtoull(CONTENT_LENGTH, NULL, 10); + else + return 0; + /* get boundary */ +@@ -241,14 +245,20 @@ + robustness sake. */ + buffer[bytesread] = '\0'; + tempstr = newstr(buffer); +- tempstr += (sizeof(char) * 38); /* 38 is header up to name */ +- entry.name = tempstr; ++ entry.name = strstr(tempstr, "name=\""); ++ if (entry.name == NULL) { ++ free(tempstr); ++ return 0; ++ } ++ entry.name += 6; ++ if (strchr(entry.name, '"') == NULL) { ++ free(tempstr); ++ return 0; ++ } ++ *strchr(entry.name, '"') = '\0'; + entry.value = (char *)malloc(sizeof(char) * BUFSIZ + 1); + buffersize = BUFSIZ; + strcpy(entry.value,""); +- while (*tempstr != '"') +- tempstr++; +- *tempstr = '\0'; + if (strstr(buffer,"filename=\"") != NULL) { + isfile = 1; + tempstr = newstr(buffer); +@@ -258,9 +268,9 @@ + entry.value = (char *) realloc(entry.value, sizeof(char) * + strlen(tempstr)+1); + entry.value = tempstr; +- while (*tempstr != '"') +- tempstr++; +- *tempstr = '\0'; ++ if (strchr(tempstr, '"') == NULL) ++ return 0; ++ *strchr(tempstr, '"') = '\0'; + /* Netscape's Windows browsers handle paths differently from its + UNIX and Mac browsers. It delivers a full path for the uploaded + file (which it shouldn't do), and it uses backslashes rather than +@@ -275,13 +285,12 @@ + } + window = list_insafter(entries,window,entry); + numentries++; +- uploadfname = (char *)malloc(strlen(UPLOADDIR)+strlen(entry.value)+2); +-#ifdef WINDOWS +- sprintf(uploadfname,"%s\\%s",UPLOADDIR,entry.value); +-#else +- sprintf(uploadfname,"%s/%s",UPLOADDIR,entry.value); +-#endif +- if ( (uploadfile = fopen(uploadfname,"w")) == NULL) { ++ fnsize = strlen(UPLOADDIR) + 30; ++ uploadfname = (char *)malloc(fnsize); ++ snprintf(uploadfname,fnsize,"%s/cgihtml-upload-XXXXXX",UPLOADDIR); ++ uploadfname[fnsize - 1] = '\0'; ++ if (mktemp(uploadfname) == NULL || ++ (uploadfile = fopen(uploadfname,"w")) == NULL) { + /* null filename; for now, just don't save info. later, save + to default file */ + isfile = 0; +@@ -529,9 +538,9 @@ int numcookies = 0; short NM = 1; -- cgit v1.2.3