Re: [openssl-dev] Adding GET support to ocsp app

Fri, 26 Sep 2014 15:25:41 -0700 

On Thu, Sep 25, 2014 at 09:56:30PM -0500, Salz, Rich wrote:

> +static int tohex(char c)
> +     {
> +     switch (c)
> +             {
> +             case '0': return 0;
> +             case '1': return 1;
> +             case '2': return 2;
> +             case '3': return 3;
> +             case '4': return 4;
> +             case '5': return 5;
> +             case '6': return 6;
> +             case '7': return 7;
> +             case '8': return 8;
> +             case '9': return 9;
> +             case 'A': case 'a': return 10;
> +             case 'B': case 'b': return 11;
> +             case 'C': case 'c': return 12;
> +             case 'D': case 'd': return 13;
> +             case 'E': case 'e': return 14;
> +             case 'F': case 'f': return 15;
> +             }
> +     return 0;
> +     }

This code treats non-hex characters as zero, they should trigger
an error.

> +             /* URL decode? Really shouldn't be needed. */
> +             if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
> +                 p = urldecode(p);

That '&&' should be '||'.  Is it OK to modify 'p' (aka inbuf) in
place?

> +     else if (!strncmp(inbuf, "POST", 4))

This and "GET" case above it should check for a space following
"POST" or "GET".

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to