jim 97/01/19 20:28:35
Modified: src CHANGES buff.c http_config.c http_core.c http_main.c http_protocol.c http_request.c mod_auth.c mod_auth_anon.c mod_auth_db.c mod_auth_dbm.c mod_auth_msql.c mod_cgi.c mod_digest.c mod_expires.c mod_imap.c mod_include.c mod_info.c mod_log_agent.c mod_log_config.c mod_negotiation.c mod_rewrite.c mod_rewrite.h mod_usertrack.c rfc1413.c util.c util_script.c src/modules/proxy proxy_cache.c proxy_ftp.c proxy_http.c proxy_util.c Log: Change from sprintf() to snprintf() to avoid and possible prevent buffer overflows Revision Changes Path 1.126 +4 -0 apache/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.125 retrieving revision 1.126 diff -C3 -r1.125 -r1.126 *** CHANGES 1997/01/20 00:12:33 1.125 --- CHANGES 1997/01/20 04:28:07 1.126 *************** *** 1,5 **** --- 1,9 ---- Changes with Apache 1.2b5 + *) Migration from sprintf() to snprintf() to avoid buffer + overflows. Provide portable snprintf() implementation + (ap_snprintf). [Marc Slemko, jj] + *) Remove mod_fastcgi.c from the distribution. This module appears to be maintained more through the Open Market channels and should continue to be easily available at http://www.fastcgi.com/ 1.14 +1 -1 apache/src/buff.c Index: buff.c =================================================================== RCS file: /export/home/cvs/apache/src/buff.c,v retrieving revision 1.13 retrieving revision 1.14 diff -C3 -r1.13 -r1.14 *** buff.c 1997/01/18 19:17:21 1.13 --- buff.c 1997/01/20 04:28:07 1.14 *************** *** 481,487 **** if (fb->flags & B_CHUNK) { char chunksize[16]; /* Big enough for practically anything */ ! sprintf(chunksize, "%x\015\012", nbyte); write(fb->fd, chunksize, strlen(chunksize)); } r = write(fb->fd, buf, nbyte); --- 481,487 ---- if (fb->flags & B_CHUNK) { char chunksize[16]; /* Big enough for practically anything */ ! ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012", nbyte); write(fb->fd, chunksize, strlen(chunksize)); } r = write(fb->fd, buf, nbyte); 1.41 +1 -1 apache/src/http_config.c Index: http_config.c =================================================================== RCS file: /export/home/cvs/apache/src/http_config.c,v retrieving revision 1.40 retrieving revision 1.41 diff -C3 -r1.40 -r1.41 *** http_config.c 1997/01/04 15:10:15 1.40 --- http_config.c 1997/01/20 04:28:07 1.41 *************** *** 236,242 **** for(n=0 ; aMethods[n].offset >= 0 ; ++n) if(aMethods[n].offset == offset) break; ! sprintf(buf,"%s:%s",modp->name,aMethods[n].method); return buf; } #else --- 236,242 ---- for(n=0 ; aMethods[n].offset >= 0 ; ++n) if(aMethods[n].offset == offset) break; ! ap_snprintf(buf, sizeof(buf), "%s:%s",modp->name,aMethods[n].method); return buf; } #else 1.58 +2 -1 apache/src/http_core.c Index: http_core.c =================================================================== RCS file: /export/home/cvs/apache/src/http_core.c,v retrieving revision 1.57 retrieving revision 1.58 diff -C3 -r1.57 -r1.58 *** http_core.c 1997/01/01 18:10:17 1.57 --- http_core.c 1997/01/20 04:28:08 1.58 *************** *** 884,890 **** const char *set_server_root (cmd_parms *cmd, void *dummy, char *arg) { if (!is_directory (arg)) return "ServerRoot must be a valid directory"; ! strcpy (server_root, arg); return NULL; } --- 884,891 ---- const char *set_server_root (cmd_parms *cmd, void *dummy, char *arg) { if (!is_directory (arg)) return "ServerRoot must be a valid directory"; ! strncpy (server_root, arg, sizeof(server_root)-1); ! server_root[sizeof(server_root)-1] = '\0'; return NULL; } 1.108 +20 -14 apache/src/http_main.c Index: http_main.c =================================================================== RCS file: /export/home/cvs/apache/src/http_main.c,v retrieving revision 1.107 retrieving revision 1.108 diff -C3 -r1.107 -r1.108 *** http_main.c 1997/01/19 17:43:28 1.107 --- http_main.c 1997/01/20 04:28:08 1.108 *************** *** 193,206 **** void accept_mutex_init(pool *p) { ! char lock_fname[30]; #ifdef __MACHTEN__ ! strcpy(lock_fname, "/var/tmp/htlock.XXXXXX"); #else ! strcpy(lock_fname, "/usr/tmp/htlock.XXXXXX"); #endif ! if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0') { fprintf (stderr, "Cannot assign name to lock file!\n"); --- 193,207 ---- void accept_mutex_init(pool *p) { ! char lock_fname[256]; #ifdef __MACHTEN__ ! strncpy(lock_fname, "/var/tmp/htlock.XXXXXX", sizeof(lock_fname)-1); #else ! strncpy(lock_fname, "/usr/tmp/htlock.XXXXXX", sizeof(lock_fname)-1); #endif ! lock_fname[sizeof(lock_fname)-1] = '\0'; ! if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0') { fprintf (stderr, "Cannot assign name to lock file!\n"); *************** *** 251,259 **** void accept_mutex_init(pool *p) { ! char lock_fname[30]; ! strcpy(lock_fname, "/usr/tmp/htlock.XXXXXX"); if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0') { --- 252,261 ---- void accept_mutex_init(pool *p) { ! char lock_fname[256]; ! strncpy(lock_fname, "/usr/tmp/htlock.XXXXXX", sizeof(lock_fname)-1); ! lock_fname[sizeof(lock_fname)-1] = '\0'; if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0') { *************** *** 411,421 **** if (timeout_req != NULL) dirconf = timeout_req->per_dir_config; else dirconf = current_conn->server->lookup_defaults; if (sig == SIGPIPE) { ! sprintf(errstr,"%s lost connection to client %s", timeout_name ? timeout_name : "request", get_remote_host(current_conn, dirconf, REMOTE_NAME)); } else { ! sprintf(errstr,"%s timed out for %s", timeout_name ? timeout_name : "request", get_remote_host(current_conn, dirconf, REMOTE_NAME)); } --- 413,423 ---- if (timeout_req != NULL) dirconf = timeout_req->per_dir_config; else dirconf = current_conn->server->lookup_defaults; if (sig == SIGPIPE) { ! ap_snprintf(errstr, sizeof(errstr), "%s lost connection to client %s", timeout_name ? timeout_name : "request", get_remote_host(current_conn, dirconf, REMOTE_NAME)); } else { ! ap_snprintf(errstr, sizeof(errstr), "%s timed out for %s", timeout_name ? timeout_name : "request", get_remote_host(current_conn, dirconf, REMOTE_NAME)); } *************** *** 606,612 **** exit(1); } ! sprintf(errstr, "created shared memory segment #%d", shmid); log_error(errstr, server_conf); #ifdef MOVEBREAK --- 608,614 ---- exit(1); } ! ap_snprintf(errstr, sizeof(errstr), "created shared memory segment #%d", shmid); log_error(errstr, server_conf); #ifdef MOVEBREAK *************** *** 658,664 **** if (shmctl(shmid, IPC_RMID, NULL) != 0) { perror("shmctl"); fprintf(stderr, "httpd: Could not delete segment #%d\n", shmid); ! sprintf(errstr, "could not remove shared memory segment #%d", shmid); log_unixerr("shmctl","IPC_RMID",errstr, server_conf); } if (scoreboard_image == BADSHMAT) /* now bailout */ --- 660,666 ---- if (shmctl(shmid, IPC_RMID, NULL) != 0) { perror("shmctl"); fprintf(stderr, "httpd: Could not delete segment #%d\n", shmid); ! ap_snprintf(errstr, sizeof(errstr), "could not remove shared memory segment #%d", shmid); log_unixerr("shmctl","IPC_RMID",errstr, server_conf); } if (scoreboard_image == BADSHMAT) /* now bailout */ *************** *** 2020,2035 **** ptrans = make_sub_pool(pconf); server_argv0 = argv[0]; ! strcpy (server_root, HTTPD_ROOT); ! strcpy (server_confname, SERVER_CONFIG_FILE); while((c = getopt(argc,argv,"Xd:f:vhl")) != -1) { switch(c) { case 'd': ! strcpy (server_root, optarg); break; case 'f': ! strcpy (server_confname, optarg); break; case 'v': printf("Server version %s.\n",SERVER_VERSION); --- 2022,2041 ---- ptrans = make_sub_pool(pconf); server_argv0 = argv[0]; ! strncpy (server_root, HTTPD_ROOT, sizeof(server_root)-1); ! server_root[sizeof(server_root)-1] = '\0'; ! strncpy (server_confname, SERVER_CONFIG_FILE, sizeof(server_root)-1); ! server_confname[sizeof(server_confname)-1] = '\0'; while((c = getopt(argc,argv,"Xd:f:vhl")) != -1) { switch(c) { case 'd': ! strncpy (server_root, optarg, sizeof(server_root)-1); ! server_root[sizeof(server_root)-1] = '\0'; break; case 'f': ! strncpy (server_confname, optarg, sizeof(server_confname)-1); ! server_confname[sizeof(server_confname)-1] = '\0'; break; case 'v': printf("Server version %s.\n",SERVER_VERSION); 1.91 +17 -14 apache/src/http_protocol.c Index: http_protocol.c =================================================================== RCS file: /export/home/cvs/apache/src/http_protocol.c,v retrieving revision 1.90 retrieving revision 1.91 diff -C3 -r1.90 -r1.91 *** http_protocol.c 1997/01/12 20:22:17 1.90 --- http_protocol.c 1997/01/20 04:28:09 1.91 *************** *** 140,150 **** r->byterange = 1; ! sprintf(ts, "bytes %ld-%ld/%ld", range_start, range_end, r->clength); table_set(r->headers_out, "Content-Range", pstrdup(r->pool, ts)); ! sprintf(ts, "%ld", range_end - range_start + 1); table_set(r->headers_out, "Content-Length", ts); } else { --- 140,150 ---- r->byterange = 1; ! ap_snprintf(ts, sizeof(ts), "bytes %ld-%ld/%ld", range_start, range_end, r->clength); table_set(r->headers_out, "Content-Range", pstrdup(r->pool, ts)); ! ap_snprintf(ts, sizeof(ts), "%ld", range_end - range_start + 1); table_set(r->headers_out, "Content-Length", ts); } else { *************** *** 153,159 **** r->byterange = 2; table_unset(r->headers_out, "Content-Length"); ! sprintf(boundary, "%lx%lx", r->request_time, (long)getpid()); r->boundary = pstrdup(r->pool, boundary); } --- 153,159 ---- r->byterange = 2; table_unset(r->headers_out, "Content-Length"); ! ap_snprintf(boundary, sizeof(boundary), "%lx%lx", r->request_time, (long)getpid()); r->boundary = pstrdup(r->pool, boundary); } *************** *** 181,187 **** char *ct = r->content_type ? r->content_type : default_type(r); char ts[MAX_STRING_LEN]; ! sprintf(ts, "%ld-%ld/%ld", range_start, range_end, r->clength); rvputs(r, "\015\012--", r->boundary, "\015\012Content-type: ", ct, "\015\012Content-range: bytes ", ts, "\015\012\015\012", NULL); --- 181,187 ---- char *ct = r->content_type ? r->content_type : default_type(r); char ts[MAX_STRING_LEN]; ! ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end, r->clength); rvputs(r, "\015\012--", r->boundary, "\015\012Content-type: ", ct, "\015\012Content-range: bytes ", ts, "\015\012\015\012", NULL); *************** *** 198,204 **** r->clength = clength; ! sprintf (ts, "%ld", clength); table_set (r->headers_out, "Content-Length", pstrdup (r->pool, ts)); return 0; --- 198,204 ---- r->clength = clength; ! ap_snprintf (ts, sizeof(ts), "%ld", clength); table_set (r->headers_out, "Content-Length", pstrdup (r->pool, ts)); return 0; *************** *** 225,231 **** * that sets the output to chunked encoding if it is not already * length-delimited. It is not a bug, though it is annoying. */ ! char header[26]; int left = r->server->keep_alive - r->connection->keepalives; r->connection->keepalive = 1; --- 225,231 ---- * that sets the output to chunked encoding if it is not already * length-delimited. It is not a bug, though it is annoying. */ ! char header[256]; int left = r->server->keep_alive - r->connection->keepalives; r->connection->keepalive = 1; *************** *** 233,239 **** /* If they sent a Keep-Alive token, send one back */ if (ka_sent) { ! sprintf(header, "timeout=%d, max=%d", r->server->keep_alive_timeout, left); rputs("Connection: Keep-Alive\015\012", r); rvputs(r, "Keep-Alive: ", header, "\015\012", NULL); --- 233,239 ---- /* If they sent a Keep-Alive token, send one back */ if (ka_sent) { ! ap_snprintf(header, sizeof(header), "timeout=%d, max=%d", r->server->keep_alive_timeout, left); rputs("Connection: Keep-Alive\015\012", r); rvputs(r, "Keep-Alive: ", header, "\015\012", NULL); *************** *** 280,289 **** */ if (r->finfo.st_mode != 0) ! sprintf(weak_etag, "W/\"%lx-%lx-%lx\"", (unsigned long)r->finfo.st_ino, (unsigned long)r->finfo.st_size, (unsigned long)mtime); else ! sprintf(weak_etag, "W/\"%lx\"", (unsigned long)mtime); etag = weak_etag + ((r->request_time - mtime > 1) ? 2 : 0); table_set (r->headers_out, "ETag", etag); --- 280,291 ---- */ if (r->finfo.st_mode != 0) ! ap_snprintf(weak_etag, sizeof(weak_etag), "W/\"%lx-%lx-%lx\"", ! (unsigned long)r->finfo.st_ino, (unsigned long)r->finfo.st_size, (unsigned long)mtime); else ! ap_snprintf(weak_etag, sizeof(weak_etag), "W/\"%lx\"", ! (unsigned long)mtime); etag = weak_etag + ((r->request_time - mtime > 1) ? 2 : 0); table_set (r->headers_out, "ETag", etag); *************** *** 752,760 **** void note_digest_auth_failure(request_rec *r) { ! char nonce[10]; ! sprintf(nonce, "%lu", r->request_time); table_set (r->err_headers_out, "WWW-Authenticate", pstrcat(r->pool, "Digest realm=\"", auth_name(r), "\", nonce=\"", nonce, "\"", NULL)); --- 754,762 ---- void note_digest_auth_failure(request_rec *r) { ! char nonce[256]; ! ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time); table_set (r->err_headers_out, "WWW-Authenticate", pstrcat(r->pool, "Digest realm=\"", auth_name(r), "\", nonce=\"", nonce, "\"", NULL)); *************** *** 1251,1257 **** if (len_to_read == 0) { /* Last chunk indicated, get footers */ if (r->read_body == REQUEST_CHUNKED_DECHUNK) { get_mime_headers(r); ! sprintf(buffer, "%ld", r->read_length); table_unset(r->headers_in, "Transfer-Encoding"); table_set(r->headers_in, "Content-Length", buffer); return 0; --- 1253,1259 ---- if (len_to_read == 0) { /* Last chunk indicated, get footers */ if (r->read_body == REQUEST_CHUNKED_DECHUNK) { get_mime_headers(r); ! ap_snprintf(buffer, bufsiz, "%ld", r->read_length); table_unset(r->headers_in, "Transfer-Encoding"); table_set(r->headers_in, "Content-Length", buffer); return 0; *************** *** 1659,1666 **** if (recursive_error) { char x[80]; ! sprintf (x, "Additionally, an error of type %d was encountered\n", ! recursive_error); bputs(x, fd); bputs("while trying to use an ErrorDocument to\n", fd); bputs("handle the request.\n", fd); --- 1661,1669 ---- if (recursive_error) { char x[80]; ! ap_snprintf (x, sizeof(x), ! "Additionally, an error of type %d was encountered\n", ! recursive_error); bputs(x, fd); bputs("while trying to use an ErrorDocument to\n", fd); bputs("handle the request.\n", fd); 1.38 +2 -2 apache/src/http_request.c Index: http_request.c =================================================================== RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.37 retrieving revision 1.38 diff -C3 -r1.37 -r1.38 *** http_request.c 1997/01/14 05:03:06 1.37 --- http_request.c 1997/01/20 04:28:10 1.38 *************** *** 999,1005 **** request_rec *internal_internal_redirect (const char *new_uri, request_rec *r) { request_rec *new = (request_rec *)pcalloc(r->pool, sizeof(request_rec)); ! char t[10]; /* Long enough... */ new->connection = r->connection; new->server = r->server; --- 999,1005 ---- request_rec *internal_internal_redirect (const char *new_uri, request_rec *r) { request_rec *new = (request_rec *)pcalloc(r->pool, sizeof(request_rec)); ! char t[256]; /* Long enough... */ new->connection = r->connection; new->server = r->server; *************** *** 1045,1051 **** */ new->no_local_copy = r->no_local_copy; ! sprintf (t, "%d", r->status); table_set (new->subprocess_env, "REDIRECT_STATUS", pstrdup (r->pool, t)); return new; --- 1045,1051 ---- */ new->no_local_copy = r->no_local_copy; ! ap_snprintf (t, sizeof(t), "%d", r->status); table_set (new->subprocess_env, "REDIRECT_STATUS", pstrdup (r->pool, t)); return new; 1.12 +2 -2 apache/src/mod_auth.c Index: mod_auth.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth.c,v retrieving revision 1.11 retrieving revision 1.12 diff -C3 -r1.11 -r1.12 *** mod_auth.c 1997/01/01 18:10:26 1.11 --- mod_auth.c 1997/01/20 04:28:10 1.12 *************** *** 198,211 **** if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) { if (!(sec->auth_authoritative)) return DECLINED; ! sprintf(errstr,"user %s not found",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; } /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! sprintf(errstr,"user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 198,211 ---- if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) { if (!(sec->auth_authoritative)) return DECLINED; ! ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; } /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; 1.13 +3 -2 apache/src/mod_auth_anon.c Index: mod_auth_anon.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_anon.c,v retrieving revision 1.12 retrieving revision 1.13 diff -C3 -r1.12 -r1.13 *** mod_auth_anon.c 1997/01/01 18:10:27 1.12 --- mod_auth_anon.c 1997/01/20 04:28:10 1.13 *************** *** 239,252 **** ) ) { if (sec->auth_anon_logemail) { ! sprintf(errstr,"Anonymous: Passwd <%s> Accepted", send_pw ? send_pw : "\'none\'"); log_error (errstr, r->server ); } return OK; } else { if (sec->auth_anon_authoritative) { ! sprintf(errstr,"Anonymous: Authoritative, Passwd <%s> not accepted", send_pw ? send_pw : "\'none\'"); log_error(errstr,r->server); return AUTH_REQUIRED; --- 239,253 ---- ) ) { if (sec->auth_anon_logemail) { ! ap_snprintf(errstr, sizeof(errstr), "Anonymous: Passwd <%s> Accepted", send_pw ? send_pw : "\'none\'"); log_error (errstr, r->server ); } return OK; } else { if (sec->auth_anon_authoritative) { ! ap_snprintf(errstr, sizeof(errstr), ! "Anonymous: Authoritative, Passwd <%s> not accepted", send_pw ? send_pw : "\'none\'"); log_error(errstr,r->server); return AUTH_REQUIRED; 1.10 +8 -5 apache/src/mod_auth_db.c Index: mod_auth_db.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_db.c,v retrieving revision 1.9 retrieving revision 1.10 diff -C3 -r1.9 -r1.10 *** mod_auth_db.c 1997/01/01 18:10:27 1.9 --- mod_auth_db.c 1997/01/20 04:28:11 1.10 *************** *** 201,207 **** if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) { if (!(sec -> auth_dbauthoritative)) return DECLINED; ! sprintf(errstr,"DB user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 201,207 ---- if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) { if (!(sec -> auth_dbauthoritative)) return DECLINED; ! ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 211,217 **** if (colon_pw) *colon_pw='\0'; /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! sprintf(errstr,"user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 211,218 ---- if (colon_pw) *colon_pw='\0'; /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! ap_snprintf(errstr, sizeof(errstr), ! "user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 253,260 **** if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) { if (!(sec->auth_dbauthoritative)) return DECLINED; ! sprintf(errstr,"user %s not in DB group file %s", ! user, sec->auth_dbgrpfile); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 254,262 ---- if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) { if (!(sec->auth_dbauthoritative)) return DECLINED; ! ap_snprintf(errstr, sizeof(errstr), ! "user %s not in DB group file %s", ! user, sec->auth_dbgrpfile); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 269,275 **** return OK; } } ! sprintf(errstr,"user %s not in right group",user); log_reason (errstr, r->filename, r); note_basic_auth_failure(r); return AUTH_REQUIRED; --- 271,278 ---- return OK; } } ! ap_snprintf(errstr, sizeof(errstr), ! "user %s not in right group",user); log_reason (errstr, r->filename, r); note_basic_auth_failure(r); return AUTH_REQUIRED; 1.13 +8 -5 apache/src/mod_auth_dbm.c Index: mod_auth_dbm.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_dbm.c,v retrieving revision 1.12 retrieving revision 1.13 diff -C3 -r1.12 -r1.13 *** mod_auth_dbm.c 1997/01/01 18:10:28 1.12 --- mod_auth_dbm.c 1997/01/20 04:28:11 1.13 *************** *** 189,195 **** if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ! sprintf(errstr,"DBM user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 189,195 ---- if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ! ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 199,205 **** if (colon_pw) *colon_pw='\0'; /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! sprintf(errstr,"user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 199,206 ---- if (colon_pw) *colon_pw='\0'; /* anyone know where the prototype for crypt is? */ if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) { ! ap_snprintf(errstr, sizeof(errstr), ! "user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 241,248 **** if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ! sprintf(errstr,"user %s not in DBM group file %s", ! user, sec->auth_dbmgrpfile); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 242,250 ---- if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ! ap_snprintf(errstr, sizeof(errstr), ! "user %s not in DBM group file %s", ! user, sec->auth_dbmgrpfile); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 257,263 **** return OK; } } ! sprintf(errstr,"user %s not in right group",user); log_reason (errstr, r->filename, r); note_basic_auth_failure(r); return AUTH_REQUIRED; --- 259,266 ---- return OK; } } ! ap_snprintf(errstr, sizeof(errstr), ! "user %s not in right group",user); log_reason (errstr, r->filename, r); note_basic_auth_failure(r); return AUTH_REQUIRED; 1.18 +41 -23 apache/src/mod_auth_msql.c Index: mod_auth_msql.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v retrieving revision 1.17 retrieving revision 1.18 diff -C3 -r1.17 -r1.18 *** mod_auth_msql.c 1997/01/01 18:10:28 1.17 --- mod_auth_msql.c 1997/01/20 04:28:11 1.18 *************** *** 560,566 **** /* does this fit ? */ if (j >= (MAX_FIELD_LEN-1)) { ! sprintf(msql_errstr,"Could not escape '%s', longer than %d",in,MAX_FIELD_LEN); return NULL; }; --- 560,567 ---- /* does this fit ? */ if (j >= (MAX_FIELD_LEN-1)) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, ! "Could not escape '%s', longer than %d",in,MAX_FIELD_LEN); return NULL; }; *************** *** 601,607 **** /* (re) open if nessecary */ if (sock==-1) if ((sock=msqlConnect(host)) == -1) { ! sprintf (msql_errstr, "mSQL: Could not connect to Msql DB %s (%s)", (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg); --- 602,608 ---- /* (re) open if nessecary */ if (sock==-1) if ((sock=msqlConnect(host)) == -1) { ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, "mSQL: Could not connect to Msql DB %s (%s)", (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg); *************** *** 612,618 **** * and is quite cheap anyway */ if (msqlSelectDB(sock,sec->auth_msql_database) == -1 ) { ! sprintf (msql_errstr,"mSQL: Could not select Msql Table \'%s\' on host \'%s\'(%s)", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg); --- 613,620 ---- * and is quite cheap anyway */ if (msqlSelectDB(sock,sec->auth_msql_database) == -1 ) { ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, ! "mSQL: Could not select Msql Table \'%s\' on host \'%s\'(%s)", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg); *************** *** 622,628 **** } if (msqlQuery(sock,query) == -1 ) { ! sprintf (msql_errstr,"mSQL: Could not Query database '%s' on host '%s' (%s) with query [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg, --- 624,631 ---- } if (msqlQuery(sock,query) == -1 ) { ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, ! "mSQL: Could not Query database '%s' on host '%s' (%s) with query [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg, *************** *** 633,639 **** } if (!(results=msqlStoreResult())) { ! sprintf (msql_errstr,"mSQL: Could not get the results from mSQL database \'%s\' on \'%s\' (%s) with query [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg, --- 636,643 ---- } if (!(results=msqlStoreResult())) { ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, ! "mSQL: Could not get the results from mSQL database \'%s\' on \'%s\' (%s) with query [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"), msqlErrMsg, *************** *** 649,656 **** /* complain if there are to many * matches. */ ! sprintf (msql_errstr,"mSQL: More than %d matches (%d) whith query [%s]", ! once,hit,( query ? query : "\'unset!\'") ); } else /* if we have a it, try to get it */ --- 653,661 ---- /* complain if there are to many * matches. */ ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, ! "mSQL: More than %d matches (%d) whith query [%s]", ! once,hit,( query ? query : "\'unset!\'") ); } else /* if we have a it, try to get it */ *************** *** 658,664 **** if ( (currow=msqlFetchRow(results)) != NULL) { /* copy the first matching field value */ if (!(result=palloc(r->pool,strlen(currow[0])+1))) { ! sprintf (msql_errstr,"mSQL: Could not get memory for mSQL %s (%s) with [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), msqlErrMsg, ( query ? query : "\'unset!\'") ); --- 663,670 ---- if ( (currow=msqlFetchRow(results)) != NULL) { /* copy the first matching field value */ if (!(result=palloc(r->pool,strlen(currow[0])+1))) { ! ap_snprintf (msql_errstr, MAX_STRING_LENGTH, ! "mSQL: Could not get memory for mSQL %s (%s) with [%s]", (sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"), msqlErrMsg, ( query ? query : "\'unset!\'") ); *************** *** 695,701 **** (!sec->auth_msql_pwd_field) || (!sec->auth_msql_uname_field) ) { ! sprintf(msql_errstr, "mSQL: Missing parameters for password lookup: %s%s%s", (sec->auth_msql_pwd_table ? "" : "Password table "), (sec->auth_msql_pwd_field ? "" : "Password field name "), --- 701,707 ---- (!sec->auth_msql_pwd_field) || (!sec->auth_msql_uname_field) ) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL: Missing parameters for password lookup: %s%s%s", (sec->auth_msql_pwd_table ? "" : "Password table "), (sec->auth_msql_pwd_field ? "" : "Password field name "), *************** *** 705,715 **** }; if (!(msql_escape(esc_user, user, msql_errstr))) { ! sprintf(msql_errstr, "mSQL: Could not cope/escape the '%s' user_id value; ",user); return NULL; }; ! sprintf(query,"select %s from %s where %s='%s'", sec->auth_msql_pwd_field, sec->auth_msql_pwd_table, sec->auth_msql_uname_field, --- 711,722 ---- }; if (!(msql_escape(esc_user, user, msql_errstr))) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL: Could not cope/escape the '%s' user_id value; ",user); return NULL; }; ! ap_snprintf(query, sizeof(query), ! "select %s from %s where %s='%s'", sec->auth_msql_pwd_field, sec->auth_msql_pwd_table, sec->auth_msql_uname_field, *************** *** 731,737 **** (!sec->auth_msql_grp_field) || (!sec->auth_msql_uname_field) ) { ! sprintf(msql_errstr, "mSQL: Missing parameters for group lookup: %s%s%s", (sec->auth_msql_grp_table ? "" : "Group table "), (sec->auth_msql_grp_field ? "" : "GroupID field name "), --- 738,744 ---- (!sec->auth_msql_grp_field) || (!sec->auth_msql_uname_field) ) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL: Missing parameters for group lookup: %s%s%s", (sec->auth_msql_grp_table ? "" : "Group table "), (sec->auth_msql_grp_field ? "" : "GroupID field name "), *************** *** 741,759 **** }; if (!(msql_escape(esc_user, user,msql_errstr))) { ! sprintf(msql_errstr, "mSQL: Could not cope/escape the '%s' user_id value",user); return NULL; }; if (!(msql_escape(esc_group, group,msql_errstr))) { ! sprintf(msql_errstr, "mSQL: Could not cope/escape the '%s' group_id value",group); return NULL; }; ! sprintf(query,"select %s from %s where %s='%s' and %s='%s'", sec->auth_msql_grp_field, sec->auth_msql_grp_table, sec->auth_msql_uname_field,esc_user, --- 748,767 ---- }; if (!(msql_escape(esc_user, user,msql_errstr))) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL: Could not cope/escape the '%s' user_id value",user); return NULL; }; if (!(msql_escape(esc_group, group,msql_errstr))) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL: Could not cope/escape the '%s' group_id value",group); return NULL; }; ! ap_snprintf(query, sizeof(query), ! "select %s from %s where %s='%s' and %s='%s'", sec->auth_msql_grp_field, sec->auth_msql_grp_table, sec->auth_msql_uname_field,esc_user, *************** *** 770,775 **** --- 778,786 ---- (msql_auth_config_rec *)get_module_config (r->per_dir_config, &msql_auth_module); char msql_errstr[MAX_STRING_LEN]; + /* msql_errstr must be MAX_STRING_LEN in size unless you + * change size in ap_snprintf() calls + */ conn_rec *c = r->connection; char *sent_pw, *real_pw; int res; *************** *** 795,801 **** if (sec->auth_msql_authoritative) { /* insist that the user is in the database */ ! sprintf(msql_errstr,"mSQL: Password for user %s not found", c->user); note_basic_auth_failure (r); res = AUTH_REQUIRED; } else { --- 806,813 ---- if (sec->auth_msql_authoritative) { /* insist that the user is in the database */ ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, ! "mSQL: Password for user %s not found", c->user); note_basic_auth_failure (r); res = AUTH_REQUIRED; } else { *************** *** 814,820 **** if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) { /* ! sprintf(msql_errstr,"mSQL: user %s: Empty/'any' password accepted",c->user); log_reason (msql_errstr, r->uri, r); */ return OK; --- 826,833 ---- if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) { /* ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, ! "mSQL: user %s: Empty/'any' password accepted",c->user); log_reason (msql_errstr, r->uri, r); */ return OK; *************** *** 824,830 **** * an arms length. */ if ((!strlen(real_pw)) || (!strlen(sent_pw))) { ! sprintf(msql_errstr,"mSQL: user %s: Empty Password(s) Rejected",c->user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 837,844 ---- * an arms length. */ if ((!strlen(real_pw)) || (!strlen(sent_pw))) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, ! "mSQL: user %s: Empty Password(s) Rejected",c->user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 842,848 **** }; if (strcmp(real_pw,sent_pw)) { ! sprintf(msql_errstr,"mSQL user %s: password mismatch",c->user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; --- 856,863 ---- }; if (strcmp(real_pw,sent_pw)) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, ! "mSQL user %s: password mismatch",c->user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure (r); return AUTH_REQUIRED; *************** *** 859,864 **** --- 874,882 ---- (msql_auth_config_rec *)get_module_config (r->per_dir_config, &msql_auth_module); char msql_errstr[MAX_STRING_LEN]; + /* msql_errstr must be MAX_STRING_LEN in size unless you + * change size in ap_snprintf() calls + */ char *user = r->connection->user; int m = r->method_number; array_header *reqs_arr = requires (r); *************** *** 873,879 **** if (!reqs_arr) { if (sec->auth_msql_authoritative) { ! sprintf(msql_errstr,"user %s denied, no access rules specified (MSQL-Authoritative) ",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; --- 891,897 ---- if (!reqs_arr) { if (sec->auth_msql_authoritative) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "user %s denied, no access rules specified (MSQL-Authoritative) ",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; *************** *** 898,904 **** }; } if ((sec->auth_msql_authoritative) && ( user_result != OK)) { ! sprintf(msql_errstr,"User %s not found (MSQL-Auhtorative)",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; --- 916,922 ---- }; } if ((sec->auth_msql_authoritative) && ( user_result != OK)) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "User %s not found (MSQL-Auhtorative)",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; *************** *** 926,932 **** }; if ( (sec->auth_msql_authoritative) && (group_result != OK) ) { ! sprintf(msql_errstr,"user %s not in right groups (MSQL-Authoritative) ",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; --- 944,950 ---- }; if ( (sec->auth_msql_authoritative) && (group_result != OK) ) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "user %s not in right groups (MSQL-Authoritative) ",user); log_reason (msql_errstr, r->uri, r); note_basic_auth_failure(r); return AUTH_REQUIRED; *************** *** 943,949 **** * This really is not needed. */ if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) { ! sprintf(msql_errstr,"mSQL-Authoritative: Access denied on %s %s rule(s) ", (group_result == AUTH_REQUIRED) ? "USER" : "", (user_result == AUTH_REQUIRED) ? "GROUP" : "" ); --- 961,967 ---- * This really is not needed. */ if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) { ! ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL-Authoritative: Access denied on %s %s rule(s) ", (group_result == AUTH_REQUIRED) ? "USER" : "", (user_result == AUTH_REQUIRED) ? "GROUP" : "" ); 1.28 +1 -1 apache/src/mod_cgi.c Index: mod_cgi.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_cgi.c,v retrieving revision 1.27 retrieving revision 1.28 diff -C3 -r1.27 -r1.28 *** mod_cgi.c 1997/01/01 18:10:30 1.27 --- mod_cgi.c 1997/01/20 04:28:12 1.28 *************** *** 331,337 **** * now, so that's what we use). */ ! sprintf(err_string, "exec of %s failed, errno is %d\n", r->filename, errno); write(2, err_string, strlen(err_string)); exit(0); --- 331,337 ---- * now, so that's what we use). */ ! ap_snprintf(err_string, sizeof(err_string), "exec of %s failed, errno is %d\n", r->filename, errno); write(2, err_string, strlen(err_string)); exit(0); 1.13 +2 -2 apache/src/mod_digest.c Index: mod_digest.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_digest.c,v retrieving revision 1.12 retrieving revision 1.13 diff -C3 -r1.12 -r1.13 *** mod_digest.c 1997/01/01 18:10:30 1.12 --- mod_digest.c 1997/01/20 04:28:12 1.13 *************** *** 277,290 **** return DECLINED; if (!(a1 = get_hash(r, c->user, sec->pwfile))) { ! sprintf(errstr,"user %s not found",c->user); log_reason (errstr, r->uri, r); note_digest_auth_failure (r); return AUTH_REQUIRED; } /* anyone know where the prototype for crypt is? */ if(strcmp(response->digest, find_digest(r, response, a1))) { ! sprintf(errstr,"user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_digest_auth_failure (r); return AUTH_REQUIRED; --- 277,290 ---- return DECLINED; if (!(a1 = get_hash(r, c->user, sec->pwfile))) { ! ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user); log_reason (errstr, r->uri, r); note_digest_auth_failure (r); return AUTH_REQUIRED; } /* anyone know where the prototype for crypt is? */ if(strcmp(response->digest, find_digest(r, response, a1))) { ! ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user); log_reason (errstr, r->uri, r); note_digest_auth_failure (r); return AUTH_REQUIRED; 1.6 +1 -1 apache/src/mod_expires.c Index: mod_expires.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_expires.c,v retrieving revision 1.5 retrieving revision 1.6 diff -C3 -r1.5 -r1.6 *** mod_expires.c 1997/01/01 18:10:32 1.5 --- mod_expires.c 1997/01/20 04:28:12 1.6 *************** *** 321,327 **** word = getword_conf( pool, &code ); }; ! sprintf( foo, "%c%d", base, modifier ); *real_code = pstrdup( pool, foo ); return NULL; --- 321,327 ---- word = getword_conf( pool, &code ); }; ! ap_snprintf(foo, sizeof(foo), "%c%d", base, modifier ); *real_code = pstrdup( pool, foo ); return NULL; 1.15 +31 -17 apache/src/mod_imap.c Index: mod_imap.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_imap.c,v retrieving revision 1.14 retrieving revision 1.15 diff -C3 -r1.14 -r1.15 *** mod_imap.c 1997/01/01 18:10:33 1.14 --- mod_imap.c 1997/01/20 04:28:13 1.15 *************** *** 354,360 **** return(string - starting_pos); /* return the total characters read */ } ! void imap_url(request_rec *r, char *base, char *value, char *url) { /* translates a value into a URL. */ --- 354,362 ---- return(string - starting_pos); /* return the total characters read */ } ! /* ! * url needs to point to a string with at least SMALLBUF memory allocated ! */ void imap_url(request_rec *r, char *base, char *value, char *url) { /* translates a value into a URL. */ *************** *** 366,389 **** if ( ! strcasecmp(value, "map" ) || ! strcasecmp(value, "menu") ) { if (r->server->port == 80 ) { ! sprintf(url, "http://%s%s", r->server->server_hostname, r->uri); } else { ! sprintf(url, "http://%s:%d%s", r->server->server_hostname, r->server->port, r->uri); } return; } if ( ! strcasecmp(value, "nocontent") || ! strcasecmp(value, "error") ) { ! strncpy(url, value, SMALLBUF); return; /* these are handled elsewhere, so just copy them */ } if ( ! strcasecmp(value, "referer" ) ) { referer = table_get(r->headers_in, "Referer"); if ( referer && *referer ) { ! strncpy(url, referer, SMALLBUF); return; } else { --- 368,394 ---- if ( ! strcasecmp(value, "map" ) || ! strcasecmp(value, "menu") ) { if (r->server->port == 80 ) { ! ap_snprintf(url, SMALLBUF, ! "http://%s%s", r->server->server_hostname, r->uri); } else { ! ap_snprintf(url, SMALLBUF, "http://%s:%d%s", r->server->server_hostname, r->server->port, r->uri); } return; } if ( ! strcasecmp(value, "nocontent") || ! strcasecmp(value, "error") ) { ! strncpy(url, value, SMALLBUF-1); ! url[SMALLBUF-1] = '\0'; return; /* these are handled elsewhere, so just copy them */ } if ( ! strcasecmp(value, "referer" ) ) { referer = table_get(r->headers_in, "Referer"); if ( referer && *referer ) { ! strncpy(url, referer, SMALLBUF-1); ! url[SMALLBUF-1] = '\0'; return; } else { *************** *** 395,421 **** while ( isalpha(*string_pos) ) string_pos++; /* go along the URL from the map until a non-letter */ if ( *string_pos == ':' ) { ! strncpy(url, value, SMALLBUF); /* if letters and then a colon (like http:) */ return; /* it's an absolute URL, so use it! */ } if ( ! base || ! *base ) { if ( value && *value ) { ! strncpy(url, value, SMALLBUF); /* no base: use what is given */ } else { if (r->server->port == 80 ) { ! sprintf(url, "http://%s/", r->server->server_hostname); } if (r->server->port != 80 ) { ! sprintf(url, "http://%s:%d/", r->server->server_hostname, ! r->server->port); } /* no base, no value: pick a simple default */ } return; } ! strncpy(my_base, base, SMALLBUF); /* must be a relative URL to be combined with base */ string_pos = my_base; while (*string_pos) { if (*string_pos == '/' && *(string_pos+1) == '/') { --- 400,429 ---- while ( isalpha(*string_pos) ) string_pos++; /* go along the URL from the map until a non-letter */ if ( *string_pos == ':' ) { ! strncpy(url, value, SMALLBUF-1); /* if letters and then a colon (like http:) */ ! url[SMALLBUF-1] = '\0'; return; /* it's an absolute URL, so use it! */ } if ( ! base || ! *base ) { if ( value && *value ) { ! strncpy(url, value, SMALLBUF-1); /* no base: use what is given */ ! url[SMALLBUF-1] = '\0'; } else { if (r->server->port == 80 ) { ! ap_snprintf(url, SMALLBUF, "http://%s/", r->server->server_hostname); } if (r->server->port != 80 ) { ! ap_snprintf(url, SMALLBUF, "http://%s:%d/", ! r->server->server_hostname, r->server->port); } /* no base, no value: pick a simple default */ } return; } ! strncpy(my_base, base, sizeof(my_base)-1); /* must be a relative URL to be combined with base */ ! my_base[sizeof(my_base)-1] = '\0'; string_pos = my_base; while (*string_pos) { if (*string_pos == '/' && *(string_pos+1) == '/') { *************** *** 473,482 **** } /* by this point, value does not start with '..' */ if ( value && *value ) { ! sprintf(url, "%s%s", my_base, value); } else { ! sprintf(url, "%s", my_base); } return; } --- 481,490 ---- } /* by this point, value does not start with '..' */ if ( value && *value ) { ! ap_snprintf(url, SMALLBUF, "%s%s", my_base, value); } else { ! ap_snprintf(url, SMALLBUF, "%s", my_base); } return; } *************** *** 600,605 **** --- 608,616 ---- int imap_handler(request_rec *r) { char input[LARGEBUF] = {'\0'}; + /* size of input can not be lowered without changing hard-coded + * checks + */ char href_text[SMALLBUF] = {'\0'}; char base[SMALLBUF] = {'\0'}; char redirect[SMALLBUF] = {'\0'}; *************** *** 675,681 **** } /* blank lines and comments are ignored if we aren't printing a menu */ ! if (sscanf(input, "%s %s", directive, value) != 2) { continue; /* make sure we read two fields */ } /* Now skip what we just read... we can't use ANSIism %n */ --- 686,692 ---- } /* blank lines and comments are ignored if we aren't printing a menu */ ! if (sscanf(input, "%.200s %.200s", directive, value) != 2) { continue; /* make sure we read two fields */ } /* Now skip what we just read... we can't use ANSIism %n */ *************** *** 698,704 **** imap_url(r, NULL, value, mapdflt); if (showmenu) { /* print the default if there's a menu */ if (! *href_text) { /* if we didn't find a "href text" */ ! strncpy(href_text, mapdflt, SMALLBUF); /* use the href itself as text */ } imap_url(r, base, mapdflt, redirect); menu_default(r, imap_menu, redirect, href_text); --- 709,716 ---- imap_url(r, NULL, value, mapdflt); if (showmenu) { /* print the default if there's a menu */ if (! *href_text) { /* if we didn't find a "href text" */ ! strncpy(href_text, mapdflt, sizeof(href_text)-1); /* use the href itself as text */ ! href_text[sizeof(href_text)-1] = '\0'; } imap_url(r, base, mapdflt, redirect); menu_default(r, imap_menu, redirect, href_text); *************** *** 729,735 **** if (showmenu) { read_quoted(string_pos, href_text); /* href text could be here instead */ if (! *href_text) { /* if we didn't find a "href text" */ ! strncpy(href_text, value, SMALLBUF); /* use the href itself in the menu */ } imap_url(r, base, value, redirect); menu_directive(r, imap_menu, redirect, href_text); --- 741,748 ---- if (showmenu) { read_quoted(string_pos, href_text); /* href text could be here instead */ if (! *href_text) { /* if we didn't find a "href text" */ ! strncpy(href_text, value, sizeof(href_text)-1); /* use the href itself in the menu */ ! href_text[sizeof(href_text)-1] = '\0'; } imap_url(r, base, value, redirect); menu_directive(r, imap_menu, redirect, href_text); *************** *** 774,780 **** if ( ! strcasecmp(directive, "point" ) ) { /* point */ if (is_closer(testpoint, pointarray, &closest_yet) ) { ! strncpy(closest, value, SMALLBUF); /* if the closest point yet save it */ } continue; --- 787,794 ---- if ( ! strcasecmp(directive, "point" ) ) { /* point */ if (is_closer(testpoint, pointarray, &closest_yet) ) { ! strncpy(closest, value, sizeof(closest)-1); /* if the closest point yet save it */ ! closest[sizeof(closest)-1] = '\0'; } continue; 1.21 +30 -13 apache/src/mod_include.c Index: mod_include.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_include.c,v retrieving revision 1.20 retrieving revision 1.21 diff -C3 -r1.20 -r1.21 *** mod_include.c 1997/01/01 18:10:35 1.20 --- mod_include.c 1997/01/20 04:28:13 1.21 *************** *** 98,104 **** table_set(e, "USER_NAME", pw->pw_name); } else { char uid[16]; ! sprintf(uid, "user#%lu", (unsigned long)r->finfo.st_uid); table_set(e, "USER_NAME", uid); } --- 98,104 ---- table_set(e, "USER_NAME", pw->pw_name); } else { char uid[16]; ! ap_snprintf(uid, sizeof(uid), "user#%lu", (unsigned long)r->finfo.st_uid); table_set(e, "USER_NAME", uid); } *************** *** 261,267 **** GET_CHAR(in,c,NULL,p); } while (isspace(c)); if(c == '>') { ! strcpy(tag,"done"); return tag; } } --- 261,268 ---- GET_CHAR(in,c,NULL,p); } while (isspace(c)); if(c == '>') { ! strncpy(tag,"done", tagbuf_len-1); ! tag[tagbuf_len-1] = '\0'; return tag; } } *************** *** 462,468 **** if (tag[0] == 'f') { /* be safe; only files in this directory or below allowed */ char tmp[MAX_STRING_LEN+2]; ! sprintf(tmp, "/%s/", parsed_string); if (parsed_string[0] == '/' || strstr(tmp, "/../") != NULL) error_fmt = "unable to include file %s in parsed file %s"; else --- 463,469 ---- if (tag[0] == 'f') { /* be safe; only files in this directory or below allowed */ char tmp[MAX_STRING_LEN+2]; ! ap_snprintf(tmp, sizeof(tmp), "/%s/", parsed_string); if (parsed_string[0] == '/' || strstr(tmp, "/../") != NULL) error_fmt = "unable to include file %s in parsed file %s"; else *************** *** 567,574 **** #ifdef DEBUG_INCLUDE_CMD fprintf (dbg, "Exec failed\n"); #endif ! sprintf(err_string, "httpd: exec of %s failed, errno is %d\n", ! SHELL_PATH,errno); write (2, err_string, strlen(err_string)); exit(0); } --- 568,576 ---- #ifdef DEBUG_INCLUDE_CMD fprintf (dbg, "Exec failed\n"); #endif ! ap_snprintf(err_string, sizeof(err_string), ! "httpd: exec of %s failed, errno is %d\n", ! SHELL_PATH,errno); write (2, err_string, strlen(err_string)); exit(0); } *************** *** 653,658 **** --- 655,663 ---- } } + /* error and tf must point to a string with room for at + * least MAX_STRING_LEN characters + */ int handle_config(FILE *in, request_rec *r, char *error, char *tf, int *sizefmt) { char tag[MAX_STRING_LEN]; *************** *** 665,675 **** return 1; if(!strcmp(tag,"errmsg")) { parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0); ! strcpy(error,parsed_string); } else if(!strcmp(tag,"timefmt")) { time_t date = r->request_time; parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0); ! strcpy(tf,parsed_string); table_set (env, "DATE_LOCAL", ht_time(r->pool,date,tf,0)); table_set (env, "DATE_GMT", ht_time(r->pool,date,tf,1)); table_set (env, "LAST_MODIFIED", ht_time(r->pool,r->finfo.st_mtime,tf,0)); --- 670,682 ---- return 1; if(!strcmp(tag,"errmsg")) { parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0); ! strncpy(error,parsed_string,MAX_STRING_LEN-1); ! error[MAX_STRING_LEN-1] = '\0'; } else if(!strcmp(tag,"timefmt")) { time_t date = r->request_time; parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0); ! strncpy(tf,parsed_string,MAX_STRING_LEN-1); ! tf[MAX_STRING_LEN-1] = '\0'; table_set (env, "DATE_LOCAL", ht_time(r->pool,date,tf,0)); table_set (env, "DATE_GMT", ht_time(r->pool,date,tf,1)); table_set (env, "LAST_MODIFIED", ht_time(r->pool,r->finfo.st_mtime,tf,0)); *************** *** 759,767 **** else { int l,x; #if defined(BSD) && BSD > 199305 ! sprintf(tag,"%qd",finfo.st_size); #else ! sprintf(tag,"%ld",finfo.st_size); #endif l = strlen(tag); /* grrr */ for(x=0;x<l;x++) { --- 766,775 ---- else { int l,x; #if defined(BSD) && BSD > 199305 ! /* ap_snprintf can't handle %qd */ ! sprintf(tag,"%qd", finfo.st_size); #else ! ap_snprintf(tag, sizeof(tag), "%ld",finfo.st_size); #endif l = strlen(tag); /* grrr */ for(x=0;x<l;x++) { *************** *** 964,971 **** switch(current->token.type) { case token_string: if (current->token.value[0] != '\0') ! strncat(current->token.value, " ", MAX_STRING_LEN-1); ! strncat(current->token.value, new->token.value, MAX_STRING_LEN-1); break; case token_eq: case token_ne: --- 972,981 ---- switch(current->token.type) { case token_string: if (current->token.value[0] != '\0') ! strncat(current->token.value, " ", ! MAX_STRING_LEN-strlen(current->token.value)-1); ! strncat(current->token.value, new->token.value, ! MAX_STRING_LEN-strlen(current->token.value)-1); break; case token_eq: case token_ne: *************** *** 1188,1193 **** --- 1198,1204 ---- #endif parse_string(r, current->token.value, buffer, MAX_STRING_LEN, 0); strncpy(current->token.value, buffer, MAX_STRING_LEN-1); + current->token.value[MAX_STRING_LEN-1] = '\0'; current->value = (current->token.value[0] != '\0'); current->done = 1; current = current->parent; *************** *** 1212,1217 **** --- 1223,1229 ---- buffer, MAX_STRING_LEN, 0); strncpy(current->left->token.value, buffer, MAX_STRING_LEN-1); + current->left->token.value[MAX_STRING_LEN-1] = '\0'; current->left->done = 1; break; default: *************** *** 1226,1231 **** --- 1238,1244 ---- buffer, MAX_STRING_LEN, 0); strncpy(current->right->token.value, buffer, MAX_STRING_LEN-1); + current->right->token.value[MAX_STRING_LEN-1] = '\0'; current->right->done = 1; break; default: *************** *** 1267,1275 **** --- 1280,1290 ---- parse_string(r, current->left->token.value, buffer, MAX_STRING_LEN, 0); strncpy(current->left->token.value, buffer, MAX_STRING_LEN-1); + current->left->token.value[MAX_STRING_LEN-1] = '\0'; parse_string(r, current->right->token.value, buffer, MAX_STRING_LEN, 0); strncpy(current->right->token.value, buffer, MAX_STRING_LEN-1); + current->right->token.value[MAX_STRING_LEN-1] = '\0'; if (current->right->token.value[0] == '/') { int len; len = strlen(current->right->token.value); *************** *** 1537,1544 **** int printing; int conditional_status; ! strcpy(error,DEFAULT_ERROR_MSG); ! strcpy(timefmt,DEFAULT_TIME_FORMAT); sizefmt = SIZEFMT_KMG; /* Turn printing on */ --- 1552,1561 ---- int printing; int conditional_status; ! strncpy(error,DEFAULT_ERROR_MSG, sizeof(error)-1); ! error[sizeof(error)-1] = '\0'; ! strncpy(timefmt,DEFAULT_TIME_FORMAT, sizeof(timefmt)-1); ! timefmt[sizeof(timefmt)-1] = '\0'; sizefmt = SIZEFMT_KMG; /* Turn printing on */ 1.10 +27 -22 apache/src/mod_info.c Index: mod_info.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_info.c,v retrieving revision 1.9 retrieving revision 1.10 diff -C3 -r1.9 -r1.10 *** mod_info.c 1997/01/12 20:50:29 1.9 --- mod_info.c 1997/01/20 04:28:14 1.10 *************** *** 88,105 **** char *mod_info_html_cmd_string(char *string) { char *s,*t; ! static char ret[64]; /* What is the max size of a command? */ ret[0]='\0'; s = string; t=ret; ! while(*s) { ! if(*s=='<') { strcat(t,"<"); t+=4*sizeof(char); } ! else if(*s=='>') { strcat(t,">"); t+=4*sizeof(char); } else *t++=*s; s++; - *t='\0'; } return(ret); } --- 88,110 ---- char *mod_info_html_cmd_string(char *string) { char *s,*t; ! static char ret[256]; /* What is the max size of a command? */ ret[0]='\0'; s = string; t=ret; ! while((*s) && (strlen(t) < 256)) { ! if(*s=='<') { ! strncat(t,"<", sizeof(ret)-strlen(ret)); ! t+=4*sizeof(char); ! } else if(*s=='>') { ! strncat(t,">", sizeof(ret)-strlen(ret)); ! t+=4*sizeof(char); ! } else *t++=*s; s++; } + *t='\0'; return(ret); } *************** *** 244,250 **** int display_info(request_rec *r) { module *modp = NULL; ! char buf[256], *cfname; command_rec *cmd=NULL; handler_rec *hand=NULL; server_rec *serv = r->server; --- 249,255 ---- int display_info(request_rec *r) { module *modp = NULL; ! char buf[512], *cfname; command_rec *cmd=NULL; handler_rec *hand=NULL; server_rec *serv = r->server; *************** *** 286,292 **** if(!r->args) { rputs("<tt><a href=\"#server\">Server Settings</a>, ",r); for(modp = top_module; modp; modp = modp->next) { ! sprintf(buf,"<a href=\"#%s\">%s</a>",modp->name,modp->name); rputs(buf, r); if(modp->next) rputs(", ",r); } --- 291,297 ---- if(!r->args) { rputs("<tt><a href=\"#server\">Server Settings</a>, ",r); for(modp = top_module; modp; modp = modp->next) { ! ap_snprintf(buf, sizeof(buf), "<a href=\"#%s\">%s</a>",modp->name,modp->name); rputs(buf, r); if(modp->next) rputs(", ",r); } *************** *** 294,335 **** } if(!r->args || !strcasecmp(r->args,"server")) { ! sprintf(buf,"<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%s</tt></a></font><br>\n",SERVER_VERSION); rputs(buf,r); ! sprintf(buf,"<strong>API Version:</strong> <tt>%d</tt><br>\n",MODULE_MAGIC_NUMBER); rputs(buf,r); ! sprintf(buf,"<strong>Run Mode:</strong> <tt>%s</tt><br>\n",standalone?"standalone":"inetd"); rputs(buf,r); ! sprintf(buf,"<strong>User/Group:</strong> <tt>%s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id); rputs(buf,r); ! sprintf(buf,"<strong>Hostname/port:</strong> <tt>%s:%d</tt><br>\n",serv->server_hostname,serv->port); rputs(buf,r); ! sprintf(buf,"<strong>Daemons:</strong> <tt>start: %d min idle: %d max idle: %d max: %d</tt><br>\n",daemons_to_start,daemons_min_free,daemons_max_free,daemons_limit); rputs(buf,r); ! sprintf(buf,"<strong>Max Requests:</strong> <tt>per child: %d per connection: %d</tt><br>\n",max_requests_per_child,serv->keep_alive); rputs(buf,r); ! sprintf(buf,"<strong>Timeouts:</strong> <tt>connection: %d keep-alive: %d</tt><br>",serv->timeout,serv->keep_alive_timeout); rputs(buf,r); ! sprintf(buf,"<strong>Server Root:</strong> <tt>%s</tt><br>\n",server_root); rputs(buf,r); ! sprintf(buf,"<strong>Config File:</strong> <tt>%s</tt><br>\n",server_confname); rputs(buf,r); ! sprintf(buf,"<strong>PID File:</strong> <tt>%s</tt><br>\n",pid_fname); rputs(buf,r); ! sprintf(buf,"<strong>Scoreboard File:</strong> <tt>%s</tt><br>\n",scoreboard_fname); rputs(buf,r); } rputs("<hr><dl>",r); for(modp = top_module; modp; modp = modp->next) { if(!r->args || !strcasecmp(modp->name,r->args)) { ! sprintf(buf,"<dt><a name=\"%s\"><strong>Module Name:</strong> <font size=+1><tt>%s</tt></a></font>\n",modp->name,modp->name); rputs(buf,r); rputs("<dt><strong>Content-types affected:</strong>",r); hand = modp->handlers; if(hand) { while(hand) { if(hand->content_type) { ! sprintf(buf," <tt>%s</tt>\n",hand->content_type); rputs(buf,r); } else break; hand++; --- 299,340 ---- } if(!r->args || !strcasecmp(r->args,"server")) { ! ap_snprintf(buf, sizeof(buf), "<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%s</tt></a></font><br>\n",SERVER_VERSION); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>API Version:</strong> <tt>%d</tt><br>\n",MODULE_MAGIC_NUMBER); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Run Mode:</strong> <tt>%s</tt><br>\n",standalone?"standalone":"inetd"); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>User/Group:</strong> <tt>%s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Hostname/port:</strong> <tt>%s:%d</tt><br>\n",serv->server_hostname,serv->port); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Daemons:</strong> <tt>start: %d min idle: %d max idle: %d max: %d</tt><br>\n",daemons_to_start,daemons_min_free,daemons_max_free,daemons_limit); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Max Requests:</strong> <tt>per child: %d per connection: %d</tt><br>\n",max_requests_per_child,serv->keep_alive); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Timeouts:</strong> <tt>connection: %d keep-alive: %d</tt><br>",serv->timeout,serv->keep_alive_timeout); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Server Root:</strong> <tt>%s</tt><br>\n",server_root); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Config File:</strong> <tt>%s</tt><br>\n",server_confname); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>PID File:</strong> <tt>%s</tt><br>\n",pid_fname); rputs(buf,r); ! ap_snprintf(buf, sizeof(buf), "<strong>Scoreboard File:</strong> <tt>%s</tt><br>\n",scoreboard_fname); rputs(buf,r); } rputs("<hr><dl>",r); for(modp = top_module; modp; modp = modp->next) { if(!r->args || !strcasecmp(modp->name,r->args)) { ! ap_snprintf(buf, sizeof(buf), "<dt><a name=\"%s\"><strong>Module Name:</strong> <font size=+1><tt>%s</tt></a></font>\n",modp->name,modp->name); rputs(buf,r); rputs("<dt><strong>Content-types affected:</strong>",r); hand = modp->handlers; if(hand) { while(hand) { if(hand->content_type) { ! ap_snprintf(buf, sizeof(buf), " <tt>%s</tt>\n",hand->content_type); rputs(buf,r); } else break; hand++; *************** *** 380,386 **** if(cmd) { while(cmd) { if(cmd->name) { ! sprintf(buf,"<dd><tt>%s - <i>",mod_info_html_cmd_string(cmd->name)); rputs(buf,r); if(cmd->errmsg) rputs(cmd->errmsg,r); rputs("</i></tt>\n",r); --- 385,391 ---- if(cmd) { while(cmd) { if(cmd->name) { ! ap_snprintf(buf, sizeof(buf), "<dd><tt>%s - <i>",mod_info_html_cmd_string(cmd->name)); rputs(buf,r); if(cmd->errmsg) rputs(cmd->errmsg,r); rputs("</i></tt>\n",r); 1.9 +1 -1 apache/src/mod_log_agent.c Index: mod_log_agent.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_log_agent.c,v retrieving revision 1.8 retrieving revision 1.9 diff -C3 -r1.8 -r1.9 *** mod_log_agent.c 1997/01/10 09:34:42 1.8 --- mod_log_agent.c 1997/01/20 04:28:14 1.9 *************** *** 170,176 **** agent = table_get(orig->headers_in, "User-Agent"); if(agent != NULL) { ! sprintf(str, "%s\n", agent); write(cls->agent_fd, str, strlen(str)); } --- 170,176 ---- agent = table_get(orig->headers_in, "User-Agent"); if(agent != NULL) { ! ap_snprintf(str, sizeof(str), "%s\n", agent); write(cls->agent_fd, str, strlen(str)); } 1.22 +9 -9 apache/src/mod_log_config.c Index: mod_log_config.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_log_config.c,v retrieving revision 1.21 retrieving revision 1.22 diff -C3 -r1.21 -r1.22 *** mod_log_config.c 1997/01/16 08:06:12 1.21 --- mod_log_config.c 1997/01/20 04:28:14 1.22 *************** *** 224,230 **** char *format_integer(pool *p, int i) { char dummy[40]; ! sprintf (dummy, "%d", i); return pstrdup (p, dummy); } --- 224,230 ---- char *format_integer(pool *p, int i) { char dummy[40]; ! ap_snprintf (dummy, sizeof(dummy), "%d", i); return pstrdup (p, dummy); } *************** *** 271,277 **** long int bs; char dummy[40]; bgetopt(r->connection->client, BO_BYTECT, &bs); ! sprintf(dummy, "%ld", bs); return pstrdup(r->pool, dummy); } } --- 271,277 ---- long int bs; char dummy[40]; bgetopt(r->connection->client, BO_BYTECT, &bs); ! ap_snprintf(dummy, sizeof(dummy), "%ld", bs); return pstrdup(r->pool, dummy); } } *************** *** 309,316 **** if(timz < 0) timz = -timz; strftime(tstr,MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t); ! sprintf (tstr + strlen(tstr), "%c%.2d%.2d]", ! sign, timz/60, timz%60); } return pstrdup (r->pool, tstr); --- 309,316 ---- if(timz < 0) timz = -timz; strftime(tstr,MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t); ! ap_snprintf (tstr + strlen(tstr), sizeof(tstr)-strlen(tstr), ! "%c%.2d%.2d]", sign, timz/60, timz%60); } return pstrdup (r->pool, tstr); *************** *** 319,325 **** char *log_request_duration (request_rec *r, char *a) { char duration[22]; /* Long enough for 2^64 */ ! sprintf(duration, "%ld", time(NULL) - r->request_time); return pstrdup(r->pool, duration); } --- 319,325 ---- char *log_request_duration (request_rec *r, char *a) { char duration[22]; /* Long enough for 2^64 */ ! ap_snprintf(duration, sizeof(duration), "%ld", time(NULL) - r->request_time); return pstrdup(r->pool, duration); } *************** *** 328,342 **** } char *log_server_port (request_rec *r, char *a) { ! char portnum[10]; ! sprintf(portnum, "%d", r->server->port); return pstrdup(r->pool, portnum); } char *log_child_pid (request_rec *r, char *a) { ! char pidnum[10]; ! sprintf(pidnum, "%ld", (long)getpid()); return pstrdup(r->pool, pidnum); } /***************************************************************** --- 328,342 ---- } char *log_server_port (request_rec *r, char *a) { ! char portnum[22]; ! ap_snprintf(portnum, sizeof(portnum), "%d", r->server->port); return pstrdup(r->pool, portnum); } char *log_child_pid (request_rec *r, char *a) { ! char pidnum[22]; ! ap_snprintf(pidnum, sizeof(pidnum), "%ld", (long)getpid()); return pstrdup(r->pool, pidnum); } /***************************************************************** 1.30 +3 -3 apache/src/mod_negotiation.c Index: mod_negotiation.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_negotiation.c,v retrieving revision 1.29 retrieving revision 1.30 diff -C3 -r1.29 -r1.30 *** mod_negotiation.c 1997/01/01 18:10:38 1.29 --- mod_negotiation.c 1997/01/20 04:28:15 1.30 *************** *** 1653,1661 **** char *rec; char qstr[6]; long len; ! char lenstr[20]; /* is this long enough? */ ! sprintf(qstr, "%1.3f", variant->type_quality); /* Strip trailing zeros (saves those valuable network bytes) */ if (qstr[4] == '0') { --- 1653,1661 ---- char *rec; char qstr[6]; long len; ! char lenstr[22]; /* enough for 2^64 */ ! ap_snprintf(qstr, sizeof(qstr), "%1.3f", variant->type_quality); /* Strip trailing zeros (saves those valuable network bytes) */ if (qstr[4] == '0') { *************** *** 1699,1705 **** vary_by_charset = 1; } if ((len = find_content_length(neg, variant)) != 0) { ! sprintf(lenstr, "%ld", len); rec = pstrcat(r->pool, rec, " {length ", lenstr, "}", NULL); } --- 1699,1705 ---- vary_by_charset = 1; } if ((len = find_content_length(neg, variant)) != 0) { ! ap_snprintf(lenstr, sizeof(lenstr), "%ld", len); rec = pstrcat(r->pool, rec, " {length ", lenstr, "}", NULL); } 1.15 +109 -70 apache/src/mod_rewrite.c Index: mod_rewrite.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_rewrite.c,v retrieving revision 1.14 retrieving revision 1.15 diff -C3 -r1.14 -r1.15 *** mod_rewrite.c 1997/01/16 08:06:13 1.14 --- mod_rewrite.c 1997/01/20 04:28:15 1.15 *************** *** 891,897 **** #endif thisport = ""; else { ! sprintf(buf, ":%d", r->server->port); thisport = pstrdup(r->pool, buf); } thisurl = table_get(r->subprocess_env, ENVVAR_SCRIPT_URL); --- 891,897 ---- #endif thisport = ""; else { ! ap_snprintf(buf, sizeof(buf), ":%d", r->server->port); thisport = pstrdup(r->pool, buf); } thisurl = table_get(r->subprocess_env, ENVVAR_SCRIPT_URL); *************** *** 1026,1032 **** n = prefix_stat(r->filename, &finfo); if (n == 0) { if ((cp = document_root(r)) != NULL) { ! strcpy(docroot, cp); /* allways NOT have a trailing slash */ l = strlen(docroot); --- 1026,1033 ---- n = prefix_stat(r->filename, &finfo); if (n == 0) { if ((cp = document_root(r)) != NULL) { ! strncpy(docroot, cp, sizeof(docroot)-1); ! docroot[sizeof(docroot)-1] = '\0'; /* allways NOT have a trailing slash */ l = strlen(docroot); *************** *** 1471,1489 **** if (p->flags & RULEFLAG_PROXY) { if (p->flags & RULEFLAG_NOTMATCH) { output = pstrcat(r->pool, "proxy:", output, NULL); ! strcpy(newuri, output); ! expand_variables_inbuffer(r, newuri); /* expand %{...} */ ! expand_map_lookups(r, newuri); /* expand ${...} */ } else { output = pstrcat(r->pool, "proxy:", output, NULL); #ifdef HAS_APACHE_REGEX_LIB ! strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch)); /* substitute in output */ #else regsub(regexp, output, newuri); /* substitute in output */ #endif ! expand_variables_inbuffer(r, newuri); /* expand %{...} */ ! expand_map_lookups(r, newuri); /* expand ${...} */ } if (perdir == NULL) rewritelog(r, 2, "rewrite %s -> %s", r->filename, newuri); --- 1472,1492 ---- if (p->flags & RULEFLAG_PROXY) { if (p->flags & RULEFLAG_NOTMATCH) { output = pstrcat(r->pool, "proxy:", output, NULL); ! strncpy(newuri, output, sizeof(newuri)-1); ! newuri[sizeof(newuri)-1] = '\0'; ! expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */ ! expand_map_lookups(r, newuri, sizeof(newuri)); /* expand ${...} */ } else { output = pstrcat(r->pool, "proxy:", output, NULL); #ifdef HAS_APACHE_REGEX_LIB ! strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1); /* substitute in output */ ! newuri[sizeof(newuri)-1] = '\0'; #else regsub(regexp, output, newuri); /* substitute in output */ #endif ! expand_variables_inbuffer(r, newuri, sizeof(newuri)); /* expand %{...} */ ! expand_map_lookups(r, newuri, sizeof(newuri)); /* expand ${...} */ } if (perdir == NULL) rewritelog(r, 2, "rewrite %s -> %s", r->filename, newuri); *************** *** 1503,1520 **** if (perdir != NULL && strncmp(output, "http://", 7) == 0) { #endif if (p->flags & RULEFLAG_NOTMATCH) { ! strcpy(newuri, output); ! expand_variables_inbuffer(r, newuri); /* expand %{...} */ ! expand_map_lookups(r, newuri); /* expand ${...} */ } else { #ifdef HAS_APACHE_REGEX_LIB ! strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch)); /* substitute in output */ #else regsub(regexp, output, newuri); /* substitute in output */ #endif ! expand_variables_inbuffer(r, newuri); /* expand %{...} */ ! expand_map_lookups(r, newuri); /* expand ${...} */ } rewritelog(r, 2, "[per-dir %s] redirect %s -> %s", perdir, r->filename, newuri); r->filename = pstrdup(r->pool, newuri); --- 1506,1525 ---- if (perdir != NULL && strncmp(output, "http://", 7) == 0) { #endif if (p->flags & RULEFLAG_NOTMATCH) { ! strncpy(newuri, output, sizeof(newuri)-1); ! newuri[sizeof(newuri)-1] = '\0'; ! expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */ ! expand_map_lookups(r, newuri, sizeof(newuri)); /* expand ${...} */ } else { #ifdef HAS_APACHE_REGEX_LIB ! strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1); /* substitute in output */ ! newuri[sizeof(newuri)-1] = '\0'; #else regsub(regexp, output, newuri); /* substitute in output */ #endif ! expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */ ! expand_map_lookups(r, newuri, sizeof(newuri)); /* expand ${...} */ } rewritelog(r, 2, "[per-dir %s] redirect %s -> %s", perdir, r->filename, newuri); r->filename = pstrdup(r->pool, newuri); *************** *** 1532,1549 **** if (p->flags & RULEFLAG_NOTMATCH) { /* just overtake the URI */ ! strcpy(newuri, output); } else { /* substitute in output */ #ifdef HAS_APACHE_REGEX_LIB ! strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch)); /* substitute in output */ #else regsub(regexp, output, newuri); /* substitute in output */ #endif } ! expand_variables_inbuffer(r, newuri); /* expand %{...} */ ! expand_map_lookups(r, newuri); /* expand ${...} */ if (perdir == NULL) rewritelog(r, 2, "rewrite %s -> %s", uri, newuri); --- 1537,1556 ---- if (p->flags & RULEFLAG_NOTMATCH) { /* just overtake the URI */ ! strncpy(newuri, output, sizeof(newuri)-1); ! newuri[sizeof(newuri)-1] = '\0'; } else { /* substitute in output */ #ifdef HAS_APACHE_REGEX_LIB ! strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1); /* substitute in output */ ! newuri[sizeof(newuri-1)] = '\0'; #else regsub(regexp, output, newuri); /* substitute in output */ #endif } ! expand_variables_inbuffer(r, newuri, sizeof(newuri)); /* expand %{...} */ ! expand_map_lookups(r, newuri, sizeof(newuri)); /* expand ${...} */ if (perdir == NULL) rewritelog(r, 2, "rewrite %s -> %s", uri, newuri); *************** *** 1586,1603 **** #endif strcpy(port, ""); else ! sprintf(port, ":%d", r->server->port); if (r->filename[0] == '/') #ifdef APACHE_SSL ! sprintf(newuri, "%s://%s%s%s", http_method(r), r->server->server_hostname, port, r->filename); #else ! sprintf(newuri, "http://%s%s%s", r->server->server_hostname, port, r->filename); #endif else #ifdef APACHE_SSL ! sprintf(newuri, "%s://%s%s/%s", http_method(r), r->server->server_hostname, port, r->filename); #else ! sprintf(newuri, "http://%s%s/%s", r->server->server_hostname, port, r->filename); #endif if (perdir == NULL) rewritelog(r, 2, "prepare forced redirect %s -> %s", r->filename, newuri); --- 1593,1610 ---- #endif strcpy(port, ""); else ! ap_snprintf(port, sizeof(port), ":%d", r->server->port); if (r->filename[0] == '/') #ifdef APACHE_SSL ! ap_snprintf(newuri, sizeof(newuri), "%s://%s%s%s", http_method(r), r->server->server_hostname, port, r->filename); #else ! ap_snprintf(newuri, sizeof(newuri), "http://%s%s%s", r->server->server_hostname, port, r->filename); #endif else #ifdef APACHE_SSL ! ap_snprintf(newuri, sizeof(newuri), "%s://%s%s/%s", http_method(r), r->server->server_hostname, port, r->filename); #else ! ap_snprintf(newuri, sizeof(newuri), "http://%s%s/%s", r->server->server_hostname, port, r->filename); #endif if (perdir == NULL) rewritelog(r, 2, "prepare forced redirect %s -> %s", r->filename, newuri); *************** *** 1653,1664 **** rc = (regexec(p->regexp, input, 0, NULL, 0) == 0); #else if (p->flags & CONDFLAG_NOCASE) { ! for (i = 0; input[i] != '\0'; i++) inputbuf[i] = tolower(input[i]); inputbuf[i] = '\0'; } else { ! strcpy(inputbuf, input); } rc = (regexec(p->regexp, inputbuf) != 0); #endif --- 1660,1672 ---- rc = (regexec(p->regexp, input, 0, NULL, 0) == 0); #else if (p->flags & CONDFLAG_NOCASE) { ! for (i = 0; input[i] != '\0' && i < sizeof(inputbuf)-1 ; i++) inputbuf[i] = tolower(input[i]); inputbuf[i] = '\0'; } else { ! strncpy(inputbuf, input, sizeof(inputbuf)-1); ! inputbuf[sizeof(inputbuf)-1] = '\0'; } rc = (regexec(p->regexp, inputbuf) != 0); #endif *************** *** 1743,1759 **** /* cut the hostname and port out of the URI */ #ifdef APACHE_SSL ! strcpy(buf, r->filename+strlen(http_method(r))+3); #else ! strcpy(buf, r->filename+7); #endif hostp = buf; for (cp = hostp; *cp != '\0' && *cp != '/' && *cp != ':'; cp++) ; if (*cp == ':') { /* set host */ *cp++ = '\0'; ! strcpy(host, hostp); /* set port */ portp = cp; for (; *cp != '\0' && *cp != '/'; cp++) --- 1751,1769 ---- /* cut the hostname and port out of the URI */ #ifdef APACHE_SSL ! strncpy(buf, r->filename+strlen(http_method(r))+3, sizeof(buf)-1); #else ! strncpy(buf, r->filename+7, sizeof(buf)-1); #endif + buf[sizeof(buf)-1] = '\0'; hostp = buf; for (cp = hostp; *cp != '\0' && *cp != '/' && *cp != ':'; cp++) ; if (*cp == ':') { /* set host */ *cp++ = '\0'; ! strncpy(host, hostp, sizeof(host)-1); ! host[sizeof(host)-1] = '\0'; /* set port */ portp = cp; for (; *cp != '\0' && *cp != '/'; cp++) *************** *** 1768,1774 **** else if (*cp == '/') { /* set host */ *cp = '\0'; ! strcpy(host, hostp); *cp = '/'; /* set port */ port = 80; --- 1778,1785 ---- else if (*cp == '/') { /* set host */ *cp = '\0'; ! strncpy(host, hostp, sizeof(host)-1); ! host[sizeof(host)-1] = '\0'; *cp = '/'; /* set port */ port = 80; *************** *** 1777,1783 **** } else { /* set host */ ! strcpy(host, hostp); /* set port */ port = 80; /* set remaining url */ --- 1788,1795 ---- } else { /* set host */ ! strncpy(host, hostp, sizeof(host)-1); ! host[sizeof(host)-1] = '\0'; /* set port */ port = 80; /* set remaining url */ *************** *** 1812,1818 **** newuri = uri; if (uri != NULL && strlen(uri) > 2 && uri[0] == '/' && uri[1] == '~') { /* cut out the username */ ! for (j = 0, i = 2; uri[i] != '\0' && ( (uri[i] >= '0' && uri[i] <= '9') || (uri[i] >= 'a' && uri[i] <= 'z') || (uri[i] >= 'A' && uri[i] <= 'Z')); ) --- 1824,1830 ---- newuri = uri; if (uri != NULL && strlen(uri) > 2 && uri[0] == '/' && uri[1] == '~') { /* cut out the username */ ! for (j = 0, i = 2; j < sizeof(user)-1 && uri[i] != '\0' && ( (uri[i] >= '0' && uri[i] <= '9') || (uri[i] >= 'a' && uri[i] <= 'z') || (uri[i] >= 'A' && uri[i] <= 'Z')); ) *************** *** 1846,1852 **** ** */ ! static void expand_map_lookups(request_rec *r, char *uri) { char newuri[MAX_STRING_LEN]; char *cpI; --- 1858,1865 ---- ** */ ! #define limit_length(n) (n > LONG_STRING_LEN-1 ? LONG_STRING_LEN-1 : n) ! static void expand_map_lookups(request_rec *r, char *uri, int uri_len) { char newuri[MAX_STRING_LEN]; char *cpI; *************** *** 1876,1902 **** cpT = strchr(cpI, ':'); n = cpT-cpI; ! memcpy(mapname, cpI, n); ! mapname[n] = '\0'; cpI += n+1; cpT2 = strchr(cpI, '|'); cpT = strchr(cpI, '}'); if (cpT2 != NULL && cpT2 < cpT) { n = cpT2-cpI; ! memcpy(mapkey, cpI, n); ! mapkey[n] = '\0'; cpI += n+1; n = cpT-cpI; ! memcpy(defaultvalue, cpI, n); ! defaultvalue[n] = '\0'; cpI += n+1; } else { n = cpT-cpI; ! memcpy(mapkey, cpI, n); ! mapkey[n] = '\0'; cpI += n+1; defaultvalue[0] = '\0'; --- 1889,1915 ---- cpT = strchr(cpI, ':'); n = cpT-cpI; ! memcpy(mapname, cpI, limit_length(n)); ! mapname[limit_length(n)] = '\0'; cpI += n+1; cpT2 = strchr(cpI, '|'); cpT = strchr(cpI, '}'); if (cpT2 != NULL && cpT2 < cpT) { n = cpT2-cpI; ! memcpy(mapkey, cpI, limit_length(n)); ! mapkey[limit_length(n)] = '\0'; cpI += n+1; n = cpT-cpI; ! memcpy(defaultvalue, cpI, limit_length(n)); ! defaultvalue[limit_length(n)] = '\0'; cpI += n+1; } else { n = cpT-cpI; ! memcpy(mapkey, cpI, limit_length(n)); ! mapkey[limit_length(n)] = '\0'; cpI += n+1; defaultvalue[0] = '\0'; *************** *** 1905,1915 **** --- 1918,1936 ---- cpT = lookup_map(r, mapname, mapkey); if (cpT != NULL) { n = strlen(cpT); + if (cpO + n >= newuri + sizeof(newuri)) { + log_printf(r->server, "insufficient space in expand_map_lookups, aborting"); + return; + } memcpy(cpO, cpT, n); cpO += n; } else { n = strlen(defaultvalue); + if (cpO + n >= newuri + sizeof(newuri)) { + log_printf(r->server, "insufficient space in expand_map_lookups, aborting"); + return; + } memcpy(cpO, defaultvalue, n); cpO += n; } *************** *** 1919,1933 **** if (cpT == NULL) cpT = cpI+strlen(cpI); n = cpT-cpI; memcpy(cpO, cpI, n); cpO += n; cpI += n; } } *cpO = '\0'; ! strcpy(uri, newuri); return; } --- 1940,1960 ---- if (cpT == NULL) cpT = cpI+strlen(cpI); n = cpT-cpI; + if (cpO + n >= newuri + sizeof(newuri)) { + log_printf(r->server, "insufficient space in expand_map_lookups, aborting"); + return; + } memcpy(cpO, cpI, n); cpO += n; cpI += n; } } *cpO = '\0'; ! strncpy(uri, newuri, uri_len-1); ! uri[uri_len-1] = '\0'; return; } + #undef limit_length *************** *** 2034,2040 **** if ((fp = pfopen(r->pool, file, "r")) == NULL) return NULL; ! strcpy(output, MAPFILE_OUTPUT); while (fgets(line, sizeof(line), fp) != NULL) { if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = '\0'; --- 2061,2068 ---- if ((fp = pfopen(r->pool, file, "r")) == NULL) return NULL; ! strncpy(output, MAPFILE_OUTPUT, sizeof(output)-1); ! output[sizeof(output)-1] = '\0'; while (fgets(line, sizeof(line), fp) != NULL) { if (line[strlen(line)-1] == '\n') line[strlen(line)-1] = '\0'; *************** *** 2044,2050 **** if (regexec(lookup_map_txtfile_regexp, line) != 0) { #endif #ifdef HAS_APACHE_REGEX_LIB ! strcpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch)); /* substitute in output */ #else regsub(lookup_map_txtfile_regexp, output, result); #endif --- 2072,2079 ---- if (regexec(lookup_map_txtfile_regexp, line) != 0) { #endif #ifdef HAS_APACHE_REGEX_LIB ! strncpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch), sizeof(result)-1); /* substitute in output */ ! result[sizeof(result)-1] = '\0'; #else regsub(lookup_map_txtfile_regexp, output, result); #endif *************** *** 2073,2079 **** char buf[MAX_STRING_LEN]; dbmkey.dptr = key; ! dbmkey.dsize = strlen(key); if ((dbmfp = dbm_open(file, O_RDONLY, 0666)) != NULL) { dbmval = dbm_fetch(dbmfp, dbmkey); if (dbmval.dptr != NULL) { --- 2102,2108 ---- char buf[MAX_STRING_LEN]; dbmkey.dptr = key; ! dbmkey.dsize = strlen(key) < sizeof(buf) - 1 : strlen(key) ? sizeof(buf)-1; if ((dbmfp = dbm_open(file, O_RDONLY, 0666)) != NULL) { dbmval = dbm_fetch(dbmfp, dbmkey); if (dbmval.dptr != NULL) { *************** *** 2099,2105 **** /* read in the response value */ i = 0; ! while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN)) { if (c == '\n') break; buf[i++] = c; --- 2128,2134 ---- /* read in the response value */ i = 0; ! while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN-1)) { if (c == '\n') break; buf[i++] = c; *************** *** 2216,2236 **** (connect->remote_logname != NULL ? connect->remote_logname : "-"), " ", ruser, NULL); ! vsprintf(str2, text, ap); ! if (r->main == NULL) ! strcpy(type, "initial"); ! else ! strcpy(type, "subreq"); for (i = 0, req = r->prev; req != NULL; req = req->prev) ; if (i == 0) strcpy(redir, ""); else ! sprintf(redir, "/redir#%d", i); ! sprintf(str3, "%s %s [%s/sid#%x][rid#%x/%s%s] (%d) %s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2); write(conf->rewritelogfp, str3, strlen(str3)); --- 2245,2268 ---- (connect->remote_logname != NULL ? connect->remote_logname : "-"), " ", ruser, NULL); ! ap_vsnprintf(str2, sizeof(str2), text, ap); ! if (r->main == NULL) { ! strncpy(type, "initial", sizeof(type)-1); ! type[sizeof(type)-1] = '\0'; ! } else { ! strncpy(type, "subreq", sizeof(type)-1); ! type[sizeof(type)-1] = '\0'; ! } for (i = 0, req = r->prev; req != NULL; req = req->prev) ; if (i == 0) strcpy(redir, ""); else ! ap_snprintf(redir, sizeof(redir), "/redir#%d", i); ! ap_snprintf(str3, sizeof(str3), "%s %s [%s/sid#%x][rid#%x/%s%s] (%d) %s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2); write(conf->rewritelogfp, str3, strlen(str3)); *************** *** 2254,2265 **** if(timz < 0) timz = -timz; ! strftime(tstr, MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t); #ifdef IS_APACHE_12 ! sprintf(tstr + strlen(tstr), "%c%.2d%.2d]", sign, timz/60, timz%60); #else ! sprintf(tstr + strlen(tstr), "%c%02ld%02ld]", sign, timz/3600, timz%3600); #endif return pstrdup(r->pool, tstr); --- 2286,2297 ---- if(timz < 0) timz = -timz; ! strftime(tstr, 80,"[%d/%b/%Y:%H:%M:%S ",t); #ifdef IS_APACHE_12 ! ap_snprintf(tstr + strlen(tstr), 80-strlen(tstr), "%c%.2d%.2d]", sign, timz/60, timz%60); #else ! ap_snprintf(tstr + strlen(tstr), 80-strlen(tstr), "%c%02ld%02ld]", sign, timz/3600, timz%3600); #endif return pstrdup(r->pool, tstr); *************** *** 2341,2352 **** */ ! static void expand_variables_inbuffer(request_rec *r, char *buf) { char *newbuf; newbuf = expand_variables(r, buf); ! if (strcmp(newbuf, buf) != 0) ! strcpy(buf, newbuf); return; } --- 2373,2386 ---- */ ! static void expand_variables_inbuffer(request_rec *r, char *buf, int buf_len) { char *newbuf; newbuf = expand_variables(r, buf); ! if (strcmp(newbuf, buf) != 0) { ! strncpy(buf, newbuf, buf_len-1); ! buf[buf_len-1] = '\0'; ! } return; } *************** *** 2359,2383 **** char *cp3; int expanded; ! strcpy(input, str); output[0] = '\0'; expanded = 0; for (cp = input; cp < input+MAX_STRING_LEN; ) { if ((cp2 = strstr(cp, "%{")) != NULL) { if ((cp3 = strstr(cp2, "}")) != NULL) { *cp2 = '\0'; ! strcpy(&output[strlen(output)], cp); ! cp2 += 2; *cp3 = '\0'; ! strcpy(&output[strlen(output)], lookup_variable(r, cp2)); cp = cp3+1; expanded = 1; continue; } } ! strcpy(&output[strlen(output)], cp); break; } return expanded ? pstrdup(r->pool, output) : str; --- 2393,2418 ---- char *cp3; int expanded; ! strncpy(input, str, sizeof(input)-1); ! input[sizeof(input)-1] = '\0'; output[0] = '\0'; expanded = 0; for (cp = input; cp < input+MAX_STRING_LEN; ) { if ((cp2 = strstr(cp, "%{")) != NULL) { if ((cp3 = strstr(cp2, "}")) != NULL) { *cp2 = '\0'; ! strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1); cp2 += 2; *cp3 = '\0'; ! strncpy(&output[strlen(output)], lookup_variable(r, cp2), sizeof(output)-strlen(output)-1); cp = cp3+1; expanded = 1; continue; } } ! strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1); ! output[sizeof(output)-1] = '\0'; break; } return expanded ? pstrdup(r->pool, output) : str; *************** *** 2468,2474 **** result = r->server->server_hostname; } else if (strcasecmp(var, "SERVER_PORT") == 0) { ! sprintf(resultbuf, "%d", r->server->port); result = resultbuf; } else if (strcasecmp(var, "SERVER_PROTOCOL") == 0) { --- 2503,2509 ---- result = r->server->server_hostname; } else if (strcasecmp(var, "SERVER_PORT") == 0) { ! ap_snprintf(resultbuf, sizeof(resultbuf), "%d", r->server->port); result = resultbuf; } else if (strcasecmp(var, "SERVER_PROTOCOL") == 0) { *************** *** 2478,2484 **** result = pstrdup(r->pool, SERVER_VERSION); } else if (strcasecmp(var, "API_VERSION") == 0) { /* non-standard */ ! sprintf(resultbuf, "%d", MODULE_MAGIC_NUMBER); result = resultbuf; } --- 2513,2519 ---- result = pstrdup(r->pool, SERVER_VERSION); } else if (strcasecmp(var, "API_VERSION") == 0) { /* non-standard */ ! ap_snprintf(resultbuf, sizeof(resultbuf), "%d", MODULE_MAGIC_NUMBER); result = resultbuf; } *************** *** 2486,2498 **** else if (strcasecmp(var, "TIME_YEAR") == 0) { tc = time(NULL); tm = localtime(&tc); ! sprintf(resultbuf, "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100); result = resultbuf; } #define MKTIMESTR(format, tmfield) \ tc = time(NULL); \ tm = localtime(&tc); \ ! sprintf(resultbuf, format, tm->tmfield); \ result = resultbuf; else if (strcasecmp(var, "TIME_MON") == 0) { MKTIMESTR("%02d", tm_mon+1) --- 2521,2533 ---- else if (strcasecmp(var, "TIME_YEAR") == 0) { tc = time(NULL); tm = localtime(&tc); ! ap_snprintf(resultbuf, sizeof(resultbuf), "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100); result = resultbuf; } #define MKTIMESTR(format, tmfield) \ tc = time(NULL); \ tm = localtime(&tc); \ ! ap_snprintf(resultbuf, sizeof(resultbuf), format, tm->tmfield); \ result = resultbuf; else if (strcasecmp(var, "TIME_MON") == 0) { MKTIMESTR("%02d", tm_mon+1) *************** *** 2684,2690 **** output = input; /* first, remove the local directory prefix */ ! strcpy(matchbuf, match); /* allways have a trailing slash */ l = strlen(matchbuf); if (matchbuf[l-1] != '/') { --- 2719,2727 ---- output = input; /* first, remove the local directory prefix */ ! strncpy(matchbuf, match, sizeof(matchbuf)-1); ! matchbuf[sizeof(matchbuf)-1] = '\0'; ! /* allways have a trailing slash */ l = strlen(matchbuf); if (matchbuf[l-1] != '/') { *************** *** 2697,2703 **** output = pstrdup(r->pool, output+l); /* and now add the base-URL as replacement prefix */ ! strcpy(substbuf, subst); /* allways have a trailing slash */ l = strlen(substbuf); if (substbuf[l-1] != '/') { --- 2734,2741 ---- output = pstrdup(r->pool, output+l); /* and now add the base-URL as replacement prefix */ ! strncpy(substbuf, subst, sizeof(substbuf)-1); ! substbuf[sizeof(substbuf)-1] = '\0'; /* allways have a trailing slash */ l = strlen(substbuf); if (substbuf[l-1] != '/') { *************** *** 2806,2812 **** char curpath[LONG_STRING_LEN]; char *cp; ! strcpy(curpath, path); if (curpath[0] != '/') return 0; if ((cp = strchr(curpath+1, '/')) != NULL) --- 2844,2851 ---- char curpath[LONG_STRING_LEN]; char *cp; ! strncpy(curpath, path, sizeof(curpath)-1); ! curpath[sizeof(curpath)-1] = '\0'; if (curpath[0] != '/') return 0; if ((cp = strchr(curpath+1, '/')) != NULL) 1.15 +2 -2 apache/src/mod_rewrite.h Index: mod_rewrite.h =================================================================== RCS file: /export/home/cvs/apache/src/mod_rewrite.h,v retrieving revision 1.14 retrieving revision 1.15 diff -C3 -r1.14 -r1.15 *** mod_rewrite.h 1997/01/01 18:10:40 1.14 --- mod_rewrite.h 1997/01/20 04:28:16 1.15 *************** *** 333,339 **** static void splitout_queryargs(request_rec *r); static void reduce_uri(request_rec *r); static char *expand_tildepaths(request_rec *r, char *uri); ! static void expand_map_lookups(request_rec *r, char *uri); /* DBM hashfile support functions */ static char *lookup_map(request_rec *r, char *name, char *key); --- 333,339 ---- static void splitout_queryargs(request_rec *r); static void reduce_uri(request_rec *r); static char *expand_tildepaths(request_rec *r, char *uri); ! static void expand_map_lookups(request_rec *r, char *uri, int uri_len); /* DBM hashfile support functions */ static char *lookup_map(request_rec *r, char *name, char *key); *************** *** 354,360 **** static void rewritemap_program_child(void *cmd); /* env variable support */ ! static void expand_variables_inbuffer(request_rec *r, char *buf); static char *expand_variables(request_rec *r, char *str); static char *lookup_variable(request_rec *r, char *var); static char *lookup_header(request_rec *r, const char *name); --- 354,360 ---- static void rewritemap_program_child(void *cmd); /* env variable support */ ! static void expand_variables_inbuffer(request_rec *r, char *buf, int buf_len); static char *expand_variables(request_rec *r, char *str); static char *lookup_variable(request_rec *r, char *var); static char *lookup_header(request_rec *r, const char *name); 1.8 +6 -5 apache/src/mod_usertrack.c Index: mod_usertrack.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_usertrack.c,v retrieving revision 1.7 retrieving revision 1.8 diff -C3 -r1.7 -r1.8 *** mod_usertrack.c 1997/01/01 18:10:42 1.7 --- mod_usertrack.c 1997/01/20 04:28:16 1.8 *************** *** 121,128 **** cookie_log_state *cls = get_module_config (r->server->module_config, &usertrack_module); struct timeval tv; ! char *new_cookie = palloc( r->pool, 100); /* 100 = blurgh */ ! char *cookiebuf = palloc( r->pool, 100); char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, --- 121,129 ---- cookie_log_state *cls = get_module_config (r->server->module_config, &usertrack_module); struct timeval tv; ! /* 1024 == hardcoded constants */ ! char *new_cookie = palloc( r->pool, 1024); ! char *cookiebuf = palloc( r->pool, 1024); char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, *************** *** 133,139 **** if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */ gettimeofday(&tv, &tz); ! sprintf(cookiebuf, "%s%d%ld%d", rname, (int)getpid(), (long)tv.tv_sec, (int)tv.tv_usec/1000); if (cls->expires) { --- 134,140 ---- if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */ gettimeofday(&tv, &tz); ! ap_snprintf(cookiebuf, 1024, "%s%d%ld%d", rname, (int)getpid(), (long)tv.tv_sec, (int)tv.tv_usec/1000); if (cls->expires) { *************** *** 154,160 **** tms = gmtime(&when); /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */ ! sprintf(new_cookie, "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT", COOKIE_NAME, cookiebuf, days[tms->tm_wday], tms->tm_mday, month_snames[tms->tm_mon], --- 155,161 ---- tms = gmtime(&when); /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */ ! ap_snprintf(new_cookie, 1024, "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT", COOKIE_NAME, cookiebuf, days[tms->tm_wday], tms->tm_mday, month_snames[tms->tm_mon], *************** *** 162,168 **** tms->tm_hour, tms->tm_min, tms->tm_sec); } else ! sprintf(new_cookie,"%s%s; path=/", COOKIE_NAME, cookiebuf); table_set(r->headers_out,"Set-Cookie",new_cookie); table_set(r->notes, "cookie", cookiebuf); /* log first time */ --- 163,169 ---- tms->tm_hour, tms->tm_min, tms->tm_sec); } else ! ap_snprintf(new_cookie, 1024, "%s%s; path=/", COOKIE_NAME, cookiebuf); table_set(r->headers_out,"Set-Cookie",new_cookie); table_set(r->notes, "cookie", cookiebuf); /* log first time */ 1.8 +1 -1 apache/src/rfc1413.c Index: rfc1413.c =================================================================== RCS file: /export/home/cvs/apache/src/rfc1413.c,v retrieving revision 1.7 retrieving revision 1.8 diff -C3 -r1.7 -r1.8 *** rfc1413.c 1997/01/01 18:10:43 1.7 --- rfc1413.c 1997/01/20 04:28:16 1.8 *************** *** 143,149 **** return -1; /* send the data */ ! sprintf(buffer, "%u,%u\r\n", ntohs(rmt_sin->sin_port), ntohs(our_sin->sin_port)); do i = write(sock, buffer, strlen(buffer)); while (i == -1 && errno == EINTR); --- 143,149 ---- return -1; /* send the data */ ! ap_snprintf(buffer, sizeof(buffer), "%u,%u\r\n", ntohs(rmt_sin->sin_port), ntohs(our_sin->sin_port)); do i = write(sock, buffer, strlen(buffer)); while (i == -1 && errno == EINTR); 1.40 +6 -4 apache/src/util.c Index: util.c =================================================================== RCS file: /export/home/cvs/apache/src/util.c,v retrieving revision 1.39 retrieving revision 1.40 diff -C3 -r1.39 -r1.40 *** util.c 1997/01/10 11:43:08 1.39 --- util.c 1997/01/20 04:28:17 1.40 *************** *** 95,101 **** tms = gmtime(&sec); /* RFC date format; as strftime '%a, %d %b %Y %T GMT' */ ! sprintf(ts, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", days[tms->tm_wday], tms->tm_mday, month_snames[tms->tm_mon], tms->tm_year + 1900, tms->tm_hour, tms->tm_min, tms->tm_sec); --- 95,102 ---- tms = gmtime(&sec); /* RFC date format; as strftime '%a, %d %b %Y %T GMT' */ ! ap_snprintf(ts, sizeof(ts), ! "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", days[tms->tm_wday], tms->tm_mday, month_snames[tms->tm_mon], tms->tm_year + 1900, tms->tm_hour, tms->tm_min, tms->tm_sec); *************** *** 758,769 **** } char *construct_server(pool *p, const char *hostname, int port) { ! char portnum[10]; /* Long enough. Really! */ if (port == 80) return (char *)hostname; else { ! sprintf (portnum, "%d", port); return pstrcat (p, hostname, ":", portnum, NULL); } } --- 759,771 ---- } char *construct_server(pool *p, const char *hostname, int port) { ! char portnum[22]; ! /* Long enough, even if port > 16 bits for some reason */ if (port == 80) return (char *)hostname; else { ! ap_snprintf (portnum, sizeof(portnum), "%d", port); return pstrcat (p, hostname, ":", portnum, NULL); } } *************** *** 1307,1313 **** int offset; offset = 0; ! for (loop=0; loop < (strlen(path) + 1); loop++) { if (path[loop] == '/') { newpath[offset] = '\\'; /* --- 1309,1315 ---- int offset; offset = 0; ! for (loop=0; loop < (strlen(path) + 1) && loop < sizeof(newpath)-1; loop++) { if (path[loop] == '/') { newpath[offset] = '\\'; /* 1.41 +9 -7 apache/src/util_script.c Index: util_script.c =================================================================== RCS file: /export/home/cvs/apache/src/util_script.c,v retrieving revision 1.40 retrieving revision 1.41 diff -C3 -r1.40 -r1.41 *** util_script.c 1997/01/16 07:57:29 1.40 --- util_script.c 1997/01/20 04:28:17 1.41 *************** *** 93,98 **** --- 93,99 ---- av[idx] = escape_shell_cmd(r->pool, t); av[idx] = t; idx++; + if (idx >= APACHE_ARG_MAX-1) break; while ((t = strtok(NULL, "+")) != NULL) { unescape_url(t); *************** *** 100,111 **** av[idx] = escape_shell_cmd(r->pool, t); av[idx] = t; idx++; } va_end(args); } va_end(args); ! av[idx] = NULL; return av; } --- 101,113 ---- av[idx] = escape_shell_cmd(r->pool, t); av[idx] = t; idx++; + if (idx >= APACHE_ARG_MAX-1) break; } va_end(args); } va_end(args); ! av[idx] = '\0'; return av; } *************** *** 177,183 **** table_set (e, http2env (r->pool, hdrs[i].key), hdrs[i].val); } ! sprintf(port, "%d", s->port); if(!(env_path = getenv("PATH"))) env_path=DEFAULT_PATH; --- 179,185 ---- table_set (e, http2env (r->pool, hdrs[i].key), hdrs[i].val); } ! ap_snprintf(port, sizeof(port), "%d", s->port); if(!(env_path = getenv("PATH"))) env_path=DEFAULT_PATH; *************** *** 193,199 **** table_set (e, "SERVER_ADMIN", s->server_admin); /* Apache */ table_set (e, "SCRIPT_FILENAME", r->filename); /* Apache */ ! sprintf(port, "%d", ntohs(c->remote_addr.sin_port)); table_set (e, "REMOTE_PORT", port); /* Apache */ if (c->user) table_set(e, "REMOTE_USER", c->user); --- 195,201 ---- table_set (e, "SERVER_ADMIN", s->server_admin); /* Apache */ table_set (e, "SCRIPT_FILENAME", r->filename); /* Apache */ ! ap_snprintf(port, sizeof(port), "%d", ntohs(c->remote_addr.sin_port)); table_set (e, "REMOTE_PORT", port); /* Apache */ if (c->user) table_set(e, "REMOTE_USER", c->user); *************** *** 389,399 **** else if(size < 1024) strcpy(ss, " 1k"); else if(size < 1048576) ! sprintf(ss, "%4dk", (size + 512) / 1024); else if(size < 103809024) ! sprintf(ss, "%4.1fM", size / 1048576.0); else ! sprintf(ss, "%4dM", (size + 524288) / 1048576); rputs(ss, r); } --- 391,401 ---- else if(size < 1024) strcpy(ss, " 1k"); else if(size < 1048576) ! ap_snprintf(ss, sizeof(ss), "%4dk", (size + 512) / 1024); else if(size < 103809024) ! ap_snprintf(ss, sizeof(ss), "%4.1fM", size / 1048576.0); else ! ap_snprintf(ss, sizeof(ss), "%4dM", (size + 524288) / 1048576); rputs(ss, r); } *************** *** 473,479 **** program = fopen (r->filename, "r"); if (!program) { char err_string[HUGE_STRING_LEN]; ! sprintf(err_string, "open of %s failed, errno is %d\n", r->filename, errno); /* write(2, err_string, strlen(err_string)); */ /* exit(0); */ log_unixerr("fopen", NULL, err_string, r->server); --- 475,481 ---- program = fopen (r->filename, "r"); if (!program) { char err_string[HUGE_STRING_LEN]; ! ap_snprintf(err_string, sizeof(err_string), "open of %s failed, errno is %d\n", r->filename, errno); /* write(2, err_string, strlen(err_string)); */ /* exit(0); */ log_unixerr("fopen", NULL, err_string, r->server); 1.9 +6 -4 apache/src/modules/proxy/proxy_cache.c Index: proxy_cache.c =================================================================== RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_cache.c,v retrieving revision 1.8 retrieving revision 1.9 diff -C3 -r1.8 -r1.9 *** proxy_cache.c 1997/01/01 18:20:01 1.8 --- proxy_cache.c 1997/01/20 04:28:32 1.9 *************** *** 194,200 **** struct gc_ent *fent; int nfiles=0; ! sprintf(cachedir,"%s%s",cachebasedir,cachesubdir); Explain1("GC Examining directory %s",cachedir); dir = opendir(cachedir); if (dir == NULL) --- 194,200 ---- struct gc_ent *fent; int nfiles=0; ! ap_snprintf(cachedir, sizeof(cachedir), "%s%s",cachebasedir,cachesubdir); Explain1("GC Examining directory %s",cachedir); dir = opendir(cachedir); if (dir == NULL) *************** *** 251,260 **** { char newcachedir[HUGE_STRING_LEN]; close(fd); ! sprintf(newcachedir,"%s%s/",cachesubdir,ent->d_name); if(!sub_garbage_coll(r,files,cachebasedir,newcachedir)) { ! sprintf(newcachedir,"%s%s",cachedir,ent->d_name); #if TESTING fprintf(stderr,"Would remove directory %s\n",newcachedir); #else --- 251,262 ---- { char newcachedir[HUGE_STRING_LEN]; close(fd); ! ap_snprintf(newcachedir, sizeof(newcachedir), ! "%s%s/",cachesubdir,ent->d_name); if(!sub_garbage_coll(r,files,cachebasedir,newcachedir)) { ! ap_snprintf(newcachedir, sizeof(newcachedir), ! "%s%s",cachedir,ent->d_name); #if TESTING fprintf(stderr,"Would remove directory %s\n",newcachedir); #else *************** *** 383,389 **** if (q == NULL) { p = palloc(pool, 15); ! sprintf(p, "%u", c->len); proxy_add_header(c->hdrs, "Content-Length", p, HDR_REP); } } --- 385,391 ---- if (q == NULL) { p = palloc(pool, 15); ! ap_snprintf(p, 15, "%u", c->len); proxy_add_header(c->hdrs, "Content-Length", p, HDR_REP); } } 1.8 +21 -17 apache/src/modules/proxy/proxy_ftp.c Index: proxy_ftp.c =================================================================== RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_ftp.c,v retrieving revision 1.7 retrieving revision 1.8 diff -C3 -r1.7 -r1.8 *** proxy_ftp.c 1997/01/07 21:51:57 1.7 --- proxy_ftp.c 1997/01/20 04:28:33 1.8 *************** *** 158,164 **** /* now, rebuild URL */ ! if (port != DEFAULT_FTP_PORT) sprintf(sport, ":%d", port); else sport[0] = '\0'; r->filename = pstrcat(pool, "proxy:ftp://", (user != NULL) ? user : "", --- 158,164 ---- /* now, rebuild URL */ ! if (port != DEFAULT_FTP_PORT) ap_snprintf(sport, sizeof(sport), ":%d", port); else sport[0] = '\0'; r->filename = pstrcat(pool, "proxy:ftp://", (user != NULL) ? user : "", *************** *** 221,232 **** char buf[IOBUFSIZE]; char buf2[IOBUFSIZE]; char *filename; ! char urlptr[100]; long total_bytes_sent; register int n, o, w; conn_rec *con = r->connection; ! sprintf(buf,"<HTML><HEAD><TITLE>%s</TITLE></HEAD><BODY><H1>Directory %s</H1><HR><PRE>", url, url); bwrite(con->client, buf, strlen(buf)); if (f2 != NULL) bwrite(f2, buf, strlen(buf)); total_bytes_sent=strlen(buf); --- 221,232 ---- char buf[IOBUFSIZE]; char buf2[IOBUFSIZE]; char *filename; ! char urlptr[HUGE_STRING_LEN]; long total_bytes_sent; register int n, o, w; conn_rec *con = r->connection; ! ap_snprintf(buf, sizeof(buf), "<HTML><HEAD><TITLE>%s</TITLE></HEAD><BODY><H1>Directory %s</H1><HR><PRE>", url, url); bwrite(con->client, buf, strlen(buf)); if (f2 != NULL) bwrite(f2, buf, strlen(buf)); total_bytes_sent=strlen(buf); *************** *** 248,256 **** do filename--; while (filename[0]!=' '); *(filename++)=0; *(link++)=0; ! sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename); ! sprintf(buf2, "%s <A HREF=\"%s\">%s %s</A>\015\012", buf, urlptr, filename, link); ! strcpy(buf, buf2); n=strlen(buf); } else if(buf[0]=='d' || buf[0]=='-' || buf[0]=='l') --- 248,257 ---- do filename--; while (filename[0]!=' '); *(filename++)=0; *(link++)=0; ! ap_snprintf(urlptr, sizeof(urlptr), "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename); ! ap_snprintf(buf2, sizeof(urlptr), "%s <A HREF=\"%s\">%s %s</A>\015\012", buf, urlptr, filename, link); ! strncpy(buf, buf2, sizeof(buf)-1); ! buf[sizeof(buf)-1] = '\0'; n=strlen(buf); } else if(buf[0]=='d' || buf[0]=='-' || buf[0]=='l') *************** *** 261,268 **** /* Special handling for '.' and '..' */ if (!strcmp(filename, ".")) { ! sprintf(urlptr, "%s",url); ! sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } else if (!strcmp(filename, "..")) { --- 262,269 ---- /* Special handling for '.' and '..' */ if (!strcmp(filename, ".")) { ! ap_snprintf(urlptr, sizeof(urlptr), "%s",url); ! ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } else if (!strcmp(filename, "..")) { *************** *** 270,276 **** char newpath[200]; char *method, *host, *path, *newfile; ! strcpy(temp,url); method=temp; host=strchr(method,':'); --- 271,278 ---- char newpath[200]; char *method, *host, *path, *newfile; ! strncpy(temp, url, sizeof(temp)-1); ! temp[sizeof(temp)-1] = '\0'; method=temp; host=strchr(method,':'); *************** *** 282,301 **** if (path == NULL) path=""; else *(path++)=0; ! strcpy(newpath,path); newfile=strrchr(newpath,'/'); if (newfile) *(newfile)=0; else newpath[0]=0; ! sprintf(urlptr,"%s://%s/%s",method,host,newpath); ! sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } else { ! sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename); ! sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } ! strcpy(buf, buf2); n=strlen(buf); } --- 284,305 ---- if (path == NULL) path=""; else *(path++)=0; ! strncpy(newpath, path, sizeof(newpath)-1); ! newpath[sizeof(newpath)-1] = '\0'; newfile=strrchr(newpath,'/'); if (newfile) *(newfile)=0; else newpath[0]=0; ! ap_snprintf(urlptr, sizeof(urlptr), "%s://%s/%s",method,host,newpath); ! ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } else { ! ap_snprintf(urlptr, sizeof(urlptr), "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename); ! ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename); } ! strncpy(buf, buf2, sizeof(buf)); ! buf[sizeof(buf)-1] = '\0'; n=strlen(buf); } *************** *** 314,320 **** o+=w; } } ! sprintf(buf,"</PRE><HR><I><A HREF=\"http://www.apache.org\">%s</A></I></BODY></HTML>", SERVER_VERSION); bwrite(con->client, buf, strlen(buf)); if (f2 != NULL) bwrite(f2, buf, strlen(buf)); total_bytes_sent+=strlen(buf); --- 318,324 ---- o+=w; } } ! ap_snprintf(buf, sizeof(buf), "</PRE><HR><I><A HREF=\"http://www.apache.org\">%s</A></I></BODY></HTML>", SERVER_VERSION); bwrite(con->client, buf, strlen(buf)); if (f2 != NULL) bwrite(f2, buf, strlen(buf)); total_bytes_sent+=strlen(buf); *************** *** 660,666 **** { char buff[22]; ! sprintf(buff, "%s:%d", inet_ntoa(server.sin_addr), server.sin_port); proxy_log_uerror("bind", buff, "proxy: error binding to ftp data socket", r->server); pclosef(pool, sock); --- 664,670 ---- { char buff[22]; ! ap_snprintf(buff, sizeof(buff), "%s:%d", inet_ntoa(server.sin_addr), server.sin_port); proxy_log_uerror("bind", buff, "proxy: error binding to ftp data socket", r->server); pclosef(pool, sock); 1.13 +1 -1 apache/src/modules/proxy/proxy_http.c Index: proxy_http.c =================================================================== RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_http.c,v retrieving revision 1.12 retrieving revision 1.13 diff -C3 -r1.12 -r1.13 *** proxy_http.c 1997/01/07 21:51:58 1.12 --- proxy_http.c 1997/01/20 04:28:33 1.13 *************** *** 100,106 **** } else search = NULL; ! if (port != def_port) sprintf(sport, ":%d", port); else sport[0] = '\0'; r->filename = pstrcat(r->pool, "proxy:", scheme, "://", host, sport, "/", --- 100,106 ---- } else search = NULL; ! if (port != def_port) ap_snprintf(sport, sizeof(sport), ":%d", port); else sport[0] = '\0'; r->filename = pstrcat(r->pool, "proxy:", scheme, "://", host, sport, "/", 1.7 +1 -1 apache/src/modules/proxy/proxy_util.c Index: proxy_util.c =================================================================== RCS file: /export/home/cvs/apache/src/modules/proxy/proxy_util.c,v retrieving revision 1.6 retrieving revision 1.7 diff -C3 -r1.6 -r1.7 *** proxy_util.c 1997/01/01 18:20:03 1.6 --- proxy_util.c 1997/01/20 04:28:34 1.7 *************** *** 297,303 **** if (mon == 12) return x; if (strlen(x) < 31) x = palloc(p, 31); ! sprintf(x, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", wday[wk], mday, months[mon], year, hour, min, sec); return x; } --- 297,303 ---- if (mon == 12) return x; if (strlen(x) < 31) x = palloc(p, 31); ! ap_snprintf(x, strlen(x)+1, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", wday[wk], mday, months[mon], year, hour, min, sec); return x; }