>>>>> "Denys" == Denys Vlasenko <[EMAIL PROTECTED]> writes:
Hi,
>> >> if (strcmp(p, request) == 0) {
>> >> set_remoteuser_var:
>> >> - remoteuser = xstrndup(request, u -
>> >> request);
>> >> + remoteuser = xstrndup(request,
>> >> strchr(request, ':') - request);
>>
Denys> Here where request without ':' will bite us.
>>
>> Actually, thinking about it a bit more - This cannot happen as the
>> strcmp() wouldn't match.
Denys> There is no code which ensures that ':' exists *in config file*.
Denys> It seems like there is no code to ensure that leading '/' is
Denys> there too. Find this comment:
Denys> //TODO: we do not test for leading "/"??
Denys> //also, do we leak cur if BASIC_AUTH is off?
>> Notice that we could use 'p' here instead of
>> 'request' and the result would be the same.
Denys> Thus p can very well be lacking ':'.
No, as this code will only be entered if the strcmp() matches.
--
Bye, Peter Korsgaard
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
