diff options
author | John Keeping | 2013-04-01 19:03:34 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2013-04-08 15:59:46 +0200 |
commit | b1f17f168b91d709c0c0e62608de301a36f06da9 (patch) | |
tree | 9aff1fe903087cb5016ab2afdb32a7ca1cc139b2 | |
parent | 4b4a62d507adc61e20e75e2748301ef307a6c95f (diff) | |
download | cgit-b1f17f168b91d709c0c0e62608de301a36f06da9.tar.gz cgit-b1f17f168b91d709c0c0e62608de301a36f06da9.tar.bz2 cgit-b1f17f168b91d709c0c0e62608de301a36f06da9.zip |
Fix out-of-bounds memory accesses with virtual_root=""
The CGit configuration variable virtual_root is normalized so that it
does not have a trailing '/' character, but it is allowed to be empty
(the empty string and NULL have different meanings here) and there is
code that is insufficiently cautious when checking if it ends in a '/':
if (virtual_root[strlen(virtual_root) - 1] != '/')
Clearly this check is redundant, but rather than simply removing it we
get a slight efficiency improvement by switching the normalization so
that the virtual_root variable always ends in '/'. Do this with a new
"ensure_end" helper.
Signed-off-by: John Keeping <john@keeping.me.uk>
-rw-r--r-- | cgit.c | 11 | ||||
-rw-r--r-- | cgit.h | 3 | ||||
-rw-r--r-- | shared.c | 15 | ||||
-rw-r--r-- | ui-shared.c | 14 |
4 files changed, 25 insertions, 18 deletions
@@ -155,9 +155,7 @@ static void config_cb(const char *name, const char *value) | |||
155 | else if (!strcmp(name, "strict-export")) | 155 | else if (!strcmp(name, "strict-export")) |
156 | ctx.cfg.strict_export = xstrdup(value); | 156 | ctx.cfg.strict_export = xstrdup(value); |
157 | else if (!strcmp(name, "virtual-root")) { | 157 | else if (!strcmp(name, "virtual-root")) { |
158 | ctx.cfg.virtual_root = trim_end(value, '/'); | 158 | ctx.cfg.virtual_root = ensure_end(value, '/'); |
159 | if (!ctx.cfg.virtual_root && (!strcmp(value, "/"))) | ||
160 | ctx.cfg.virtual_root = ""; | ||
161 | } else if (!strcmp(name, "nocache")) | 159 | } else if (!strcmp(name, "nocache")) |
162 | ctx.cfg.nocache = atoi(value); | 160 | ctx.cfg.nocache = atoi(value); |
163 | else if (!strcmp(name, "noplainemail")) | 161 | else if (!strcmp(name, "noplainemail")) |
@@ -833,11 +831,8 @@ int main(int argc, const char **argv) | |||
833 | * that virtual-root equals SCRIPT_NAME, minus any possibly | 831 | * that virtual-root equals SCRIPT_NAME, minus any possibly |
834 | * trailing slashes. | 832 | * trailing slashes. |
835 | */ | 833 | */ |
836 | if (!ctx.cfg.virtual_root && ctx.cfg.script_name) { | 834 | if (!ctx.cfg.virtual_root && ctx.cfg.script_name) |
837 | ctx.cfg.virtual_root = trim_end(ctx.cfg.script_name, '/'); | 835 | ctx.cfg.virtual_root = ensure_end(ctx.cfg.script_name, '/'); |
838 | if (!ctx.cfg.virtual_root) | ||
839 | ctx.cfg.virtual_root = ""; | ||
840 | } | ||
841 | 836 | ||
842 | /* If no url parameter is specified on the querystring, lets | 837 | /* If no url parameter is specified on the querystring, lets |
843 | * use PATH_INFO as url. This allows cgit to work with virtual | 838 | * use PATH_INFO as url. This allows cgit to work with virtual |
@@ -190,7 +190,7 @@ struct cgit_config { | |||
190 | char *script_name; | 190 | char *script_name; |
191 | char *section; | 191 | char *section; |
192 | char *repository_sort; | 192 | char *repository_sort; |
193 | char *virtual_root; | 193 | char *virtual_root; /* Always ends with '/'. */ |
194 | char *strict_export; | 194 | char *strict_export; |
195 | int cache_size; | 195 | int cache_size; |
196 | int cache_dynamic_ttl; | 196 | int cache_dynamic_ttl; |
@@ -300,6 +300,7 @@ extern int chk_positive(int result, char *msg); | |||
300 | extern int chk_non_negative(int result, char *msg); | 300 | extern int chk_non_negative(int result, char *msg); |
301 | 301 | ||
302 | extern char *trim_end(const char *str, char c); | 302 | extern char *trim_end(const char *str, char c); |
303 | extern char *ensure_end(const char *str, char c); | ||
303 | extern char *strlpart(char *txt, int maxlen); | 304 | extern char *strlpart(char *txt, int maxlen); |
304 | extern char *strrpart(char *txt, int maxlen); | 305 | extern char *strrpart(char *txt, int maxlen); |
305 | 306 | ||
@@ -115,6 +115,21 @@ char *trim_end(const char *str, char c) | |||
115 | return xstrndup(str, len); | 115 | return xstrndup(str, len); |
116 | } | 116 | } |
117 | 117 | ||
118 | char *ensure_end(const char *str, char c) | ||
119 | { | ||
120 | size_t len = strlen(str); | ||
121 | char *result; | ||
122 | |||
123 | if (len && str[len - 1] == c) | ||
124 | return xstrndup(str, len); | ||
125 | |||
126 | result = xmalloc(len + 2); | ||
127 | memcpy(result, str, len); | ||
128 | result[len] = '/'; | ||
129 | result[len + 1] = '\0'; | ||
130 | return result; | ||
131 | } | ||
132 | |||
118 | char *strlpart(char *txt, int maxlen) | 133 | char *strlpart(char *txt, int maxlen) |
119 | { | 134 | { |
120 | char *result; | 135 | char *result; |
diff --git a/ui-shared.c b/ui-shared.c index 945d560..c1f3c20 100644 --- a/ui-shared.c +++ b/ui-shared.c | |||
@@ -57,7 +57,7 @@ const char *cgit_hosturl() | |||
57 | const char *cgit_rooturl() | 57 | const char *cgit_rooturl() |
58 | { | 58 | { |
59 | if (ctx.cfg.virtual_root) | 59 | if (ctx.cfg.virtual_root) |
60 | return fmt("%s/", ctx.cfg.virtual_root); | 60 | return ctx.cfg.virtual_root; |
61 | else | 61 | else |
62 | return ctx.cfg.script_name; | 62 | return ctx.cfg.script_name; |
63 | } | 63 | } |
@@ -65,7 +65,7 @@ const char *cgit_rooturl() | |||
65 | char *cgit_repourl(const char *reponame) | 65 | char *cgit_repourl(const char *reponame) |
66 | { | 66 | { |
67 | if (ctx.cfg.virtual_root) { | 67 | if (ctx.cfg.virtual_root) { |
68 | return fmt("%s/%s/", ctx.cfg.virtual_root, reponame); | 68 | return fmt("%s%s/", ctx.cfg.virtual_root, reponame); |
69 | } else { | 69 | } else { |
70 | return fmt("?r=%s", reponame); | 70 | return fmt("?r=%s", reponame); |
71 | } | 71 | } |
@@ -78,7 +78,7 @@ char *cgit_fileurl(const char *reponame, const char *pagename, | |||
78 | char *delim; | 78 | char *delim; |
79 | 79 | ||
80 | if (ctx.cfg.virtual_root) { | 80 | if (ctx.cfg.virtual_root) { |
81 | tmp = fmt("%s/%s/%s/%s", ctx.cfg.virtual_root, reponame, | 81 | tmp = fmt("%s%s/%s/%s", ctx.cfg.virtual_root, reponame, |
82 | pagename, (filename ? filename:"")); | 82 | pagename, (filename ? filename:"")); |
83 | delim = "?"; | 83 | delim = "?"; |
84 | } else { | 84 | } else { |
@@ -126,11 +126,9 @@ static void site_url(const char *page, const char *search, const char *sort, int | |||
126 | { | 126 | { |
127 | char *delim = "?"; | 127 | char *delim = "?"; |
128 | 128 | ||
129 | if (ctx.cfg.virtual_root) { | 129 | if (ctx.cfg.virtual_root) |
130 | html_attr(ctx.cfg.virtual_root); | 130 | html_attr(ctx.cfg.virtual_root); |
131 | if (ctx.cfg.virtual_root[strlen(ctx.cfg.virtual_root) - 1] != '/') | 131 | else |
132 | html("/"); | ||
133 | } else | ||
134 | html(ctx.cfg.script_name); | 132 | html(ctx.cfg.script_name); |
135 | 133 | ||
136 | if (page) { | 134 | if (page) { |
@@ -201,8 +199,6 @@ static char *repolink(const char *title, const char *class, const char *page, | |||
201 | html(" href='"); | 199 | html(" href='"); |
202 | if (ctx.cfg.virtual_root) { | 200 | if (ctx.cfg.virtual_root) { |
203 | html_url_path(ctx.cfg.virtual_root); | 201 | html_url_path(ctx.cfg.virtual_root); |
204 | if (ctx.cfg.virtual_root[strlen(ctx.cfg.virtual_root) - 1] != '/') | ||
205 | html("/"); | ||
206 | html_url_path(ctx.repo->url); | 202 | html_url_path(ctx.repo->url); |
207 | if (ctx.repo->url[strlen(ctx.repo->url) - 1] != '/') | 203 | if (ctx.repo->url[strlen(ctx.repo->url) - 1] != '/') |
208 | html("/"); | 204 | html("/"); |