The use of atoi triggers a false positive in nessus security scanner who believes it is an SQL injection.
Make nessus users happy by making the integer conversion slightly more strict. Signed-off-by: Natanael Copa <[email protected]> --- cgit.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/cgit.c b/cgit.c index ae413c6..fccde9e 100644 --- a/cgit.c +++ b/cgit.c @@ -307,7 +307,7 @@ static void querystring_cb(const char *name, const char *value) ctx.qry.sha2 = xstrdup(value); ctx.qry.has_sha1 = 1; } else if (!strcmp(name, "ofs")) { - ctx.qry.ofs = atoi(value); + strtol_i(value, 10, &ctx.qry.ofs); } else if (!strcmp(name, "path")) { ctx.qry.path = trim_end(value, '/'); } else if (!strcmp(name, "name")) { @@ -317,22 +317,26 @@ static void querystring_cb(const char *name, const char *value) } else if (!strcmp(name, "s")) { ctx.qry.sort = xstrdup(value); } else if (!strcmp(name, "showmsg")) { - ctx.qry.showmsg = atoi(value); + strtol_i(value, 10, &ctx.qry.showmsg); } else if (!strcmp(name, "period")) { ctx.qry.period = xstrdup(value); } else if (!strcmp(name, "dt")) { - ctx.qry.difftype = atoi(value); + int difftype = 0; + strtol_i(value, 10, &difftype); + ctx.qry.difftype = difftype; ctx.qry.has_difftype = 1; } else if (!strcmp(name, "ss")) { /* No longer generated, but there may be links out there. */ - ctx.qry.difftype = atoi(value) ? DIFF_SSDIFF : DIFF_UNIFIED; + int n = 0; + strtol_i(value, 10, &n); + ctx.qry.difftype = n ? DIFF_SSDIFF : DIFF_UNIFIED; ctx.qry.has_difftype = 1; } else if (!strcmp(name, "all")) { - ctx.qry.show_all = atoi(value); + strtol_i(value, 10, &ctx.qry.show_all); } else if (!strcmp(name, "context")) { - ctx.qry.context = atoi(value); + strtol_i(value, 10, &ctx.qry.context); } else if (!strcmp(name, "ignorews")) { - ctx.qry.ignorews = atoi(value); + strtol_i(value, 10, &ctx.qry.ignorews); } } -- 2.4.0 _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
