Author: joes
Date: Tue Apr 19 07:55:40 2005
New Revision: 161902
URL: http://svn.apache.org/viewcvs?view=rev&rev=161902
Log:
Setting the UTF8 flag on non-utf8 data is a security hole.
Let's see if coupling that decision with taintedness helps
resolve this issue.
Modified:
httpd/apreq/trunk/CHANGES
httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h
Modified: httpd/apreq/trunk/CHANGES
URL:
http://svn.apache.org/viewcvs/httpd/apreq/trunk/CHANGES?view=diff&r1=161901&r2=161902
==============================================================================
--- httpd/apreq/trunk/CHANGES (original)
+++ httpd/apreq/trunk/CHANGES Tue Apr 19 07:55:40 2005
@@ -7,8 +7,9 @@
- C API [joes]
Add apreq_cp1252_to_utf8().
-- C API [joes]
- Add charset support for params.
+- C. Perl API [joes]
+ Add charset support for params and couple the SvUTF8 flag
+ to the param's taint flag.
- C API [joes]
Replace v->size with v->nlen + v->dlen.
Modified: httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h
URL:
http://svn.apache.org/viewcvs/httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h?view=diff&r1=161901&r2=161902
==============================================================================
--- httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h (original)
+++ httpd/apreq/trunk/glue/perl/xsbuilder/apreq_xs_postperl.h Tue Apr 19
07:55:40 2005
@@ -146,7 +146,11 @@
SV *rv = newSVpvn(p->v.data, p->v.dlen);
if (apreq_param_is_tainted(p))
SvTAINTED_on(rv);
- if (apreq_param_charset_get(p) == APREQ_CHARSET_UTF8)
+ else if (apreq_param_charset_get(p) == APREQ_CHARSET_UTF8)
+ /* Setting the UTF8 flag on non-utf8 data is a security hole.
+ * Let's see if coupling that decision with taintedness helps
+ * resolve this issue.
+ */
SvUTF8_on(rv);
return rv;
}
