The decoder does not correctly NUL terminate p when it shrinks by
replacing '%xx' with the corresponding octet.
Arrgh. Thanks.
--
Principal Security Engineer, Akamai Technologies
IM: rs...@jabber.me Twitter: RichSalz
__
Bonjour Rich,
+static char* urldecode(char* p)
+ {
+ unsigned char* out = (unsigned char *)p;
+ char* save = p;
+
+ for ( ; *p; p++)
+ {
+ if (*p == '+')
+ *out++ = ' ';
You're doing HTML-entity decoding here. URL
On Thu, Sep 25, 2014 at 09:56:30PM -0500, Salz, Rich wrote:
+static int tohex(char c)
+ {
+ switch (c)
+ {
+ case '0': return 0;
+ case '1': return 1;
+ case '2': return 2;
+ case '3': return 3;
+ case '4':
This code treats non-hex characters as zero, they should trigger an error.
Be liberal in what you accept :) If there's a problem with it, the base64
decode or the DER parse will fail later. If there's not a problem with it,
then there.. is no problem.
+ if (strchr(p, '+') !=
You're doing HTML-entity decoding here. URL decoding uses only the
%xx stuff. See RFC3986.
+ else if (*p != '%')
+ *out++ = *p;
Yes, I was treating it as an HTML form, not just a strict URI encoding.
+ /* URL decode? Really shouldn't be needed.
On Fri, Sep 26, 2014 at 08:12:37PM -0500, Salz, Rich wrote:
You're doing HTML-entity decoding here. URL decoding uses only the
%xx stuff. See RFC3986.
+ else if (*p != '%')
+ *out++ = *p;
Yes, I was treating it as an HTML form, not just a strict URI
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's
done directly on the HTTP request line for a GET.
I forgot to post the updated patch. Thanks Erwann.
--
Principal Security Engineer, Akamai
Le 11/09/2014 19:45, Salz, Rich a écrit :
The attached diff adds GET support to ocsp. I'd appreciate any feedback.
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but
it's done directly on the HTTP
(trying a resend, my email address has changed)
Le 11/09/2014 19:45, Salz, Rich a écrit :
The attached diff adds GET support to ocsp. I'd appreciate any feedback.
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's
done directly on the HTTP request line for a GET.
Doh! Right :(
__
OpenSSL
10 matches
Mail list logo
