Hello Alexander,
On 2019-03-28 11:04 a.m., Alexander Vickberg wrote:
This patch creates a list of unmatched HTTP headers and sets up
environment variables before running the CGI script.
I assume this is inspired by my (more limited) patch
of passing "Content-encoding" header:
http://lists.busybox.net/pipermail/busybox/2019-March/087141.html
(or, just a very strange timing coincidence?).
I like your patch and of course, if it is accepted,
mine isn't needed.
two small comments:
@@ -417,6 +423,7 @@ struct globals {
IF_FEATURE_HTTPD_CGI(char *host;)
IF_FEATURE_HTTPD_CGI(char *http_accept;)
IF_FEATURE_HTTPD_CGI(char *http_accept_language;)
+IF_FEATURE_HTTPD_CGI(HTTP_Header *hdr_list;)
Since your mechanism is now much more generic than
the hard-coded CGI headers, perhaps they can
be safely removed?
i.e. host/http_accept/http_accept_language/cookie/referer .
Seems like this could save some space.
+HTTP_Header *cur = xzalloc(sizeof(HTTP_Header));
+char *after_colon = strchr(iobuf, ':');
+char *ch = iobuf;
+
+if (!after_colon)
+ continue;
+
I think the combination of "xzalloc" + "continue"
opens the possibility of a resource leak -
if a malicious client sends lots of HTTP header lines without
a colon, there's no corresponding "free".
regards,
- assaf
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
