Your message dated Sun, 06 Apr 2008 13:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#336524: fixed in cgilib 0.6-1
has caused the Debian Bug report #336524,
regarding cgilib: cgi variable names not decoded
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
336524: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=336524
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: cgilib
Version: 0.5-4
Severity: normal


Cgi variable names as well as variable values need to have escape
sequences decoded.  cglib currently does not do this, however, it
should.  I've attached a patch to correct this.  I've tested it and it
appears to work.

Thanks,
Neal

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) (ignored: LC_ALL set to 
en_US)

-- no debconf information
--- cgi.c.orig	1999-08-20 22:14:07.000000000 +0100
+++ cgi.c	2005-10-30 22:17:10.699996428 +0000
@@ -248,38 +250,58 @@ s_var **cgiReadVariables ()
     i=0;
     while (*cp) {
 	if ((ip = (char *)strchr(cp, '&')) != NULL) {
+	    /* Replace the & with a NUL to make parsing easier.  */
 	    *ip = '\0';
 	}else
+	    /* This is the last variable set IP to the real trailing
+	       NUL.  */
 	    ip = cp + strlen(cp);
 
 	if ((esp=(char *)strchr(cp, '=')) == NULL) {
+	    /* The value of the variable is the empty string.  */
 	    cp = ++ip;
 	    continue;
 	}
 
 	if (!strlen(esp)) {
+	    /* Variable has no value.  */
 	    cp = ++ip;
 	    continue;
 	}
 
+	/* Squash the = as well.  */
+	*esp = '\0';
+	esp ++;
+
+	/* CP names the start of variable name; ESP names the value;
+	   and IP points to the final NUL.  */
+
 	if (i<numargs) {
+	    char *name;
+	    char *value;
+
+	    name = strdup (cp);
+	    if (! name)
+		return NULL;
+	    cgiDecodeString (name);
+
+	    value = strdup (esp);
+	    if (! value) {
+		free (name);
+		return NULL;
+	    }
+	    cgiDecodeString (value);
 
 	    /* try to find out if there's already such a variable */
-	    for (k=0; k<i && (strncmp (result[k]->name,cp, esp-cp) || !(strlen (result[k]->name) == esp-cp)); k++);
+	    for (k=0; k<i && strcmp (result[k]->name, name); k++)
+		;
 
 	    if (k == i) {	/* No such variable yet */
 		if ((result[i] = (s_var *)malloc(sizeof(s_var))) == NULL)
 		    return NULL;
-		if ((result[i]->name = (char *)malloc((esp-cp+1) * sizeof(char))) == NULL)
-		    return NULL;
-		memset (result[i]->name, 0, esp-cp+1);
-		strncpy(result[i]->name, cp, esp-cp);
-		cp = ++esp;
-		if ((result[i]->value = (char *)malloc((ip-esp+1) * sizeof(char))) == NULL)
-		    return NULL;
-		memset (result[i]->value, 0, ip-esp+1);
-		strncpy(result[i]->value, cp, ip-esp);
-		result[i]->value = cgiDecodeString(result[i]->value);
+		result[i]->name = name;
+		result[i]->value = value;
+
 		if (cgiDebugLevel) {
 		    if (cgiDebugStderr)
 			fprintf (stderr, "%s: %s\n", result[i]->name, result[i]->value);
@@ -288,15 +310,14 @@ s_var **cgiReadVariables ()
 		}
 		i++;
 	    } else {	/* There is already such a name, suppose a mutiple field */
-		cp = ++esp;
-		len = (strlen(result[k]->value)+(ip-esp)+2) * sizeof (char);
-		if ((sptr = (char *)malloc(len)) == NULL)
+		int len = strlen (result[k]->value);
+		if ((sptr = realloc (result[k]->value,
+				     len + 1 + strlen (value) + 1)) == NULL)
 		    return NULL;
-		memset (sptr, 0, len);
-		sprintf (sptr, "%s\n", result[k]->value);
-		strncat(sptr, cp, ip-esp);
-		free(result[k]->value);
-		result[k]->value = cgiDecodeString (sptr);
+
+		result[k]->value[len] = '\n';
+		memcpy (result[k]->value + len + 1, value, strlen (value) + 1);
+		free (value);
 	    }
 	}
 	cp = ++ip;

--- End Message ---
--- Begin Message ---
Source: cgilib
Source-Version: 0.6-1

We believe that the bug you reported is fixed in the latest version of
cgilib, which is due to be installed in the Debian FTP archive:

cgilib_0.6-1.diff.gz
  to pool/main/c/cgilib/cgilib_0.6-1.diff.gz
cgilib_0.6-1.dsc
  to pool/main/c/cgilib/cgilib_0.6-1.dsc
cgilib_0.6-1_i386.deb
  to pool/main/c/cgilib/cgilib_0.6-1_i386.deb
cgilib_0.6.orig.tar.gz
  to pool/main/c/cgilib/cgilib_0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Schulze <[EMAIL PROTECTED]> (supplier of updated cgilib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 06 Apr 2008 15:16:19 +0200
Source: cgilib
Binary: cgilib
Architecture: source i386
Version: 0.6-1
Distribution: unstable
Urgency: low
Maintainer: Martin Schulze <[EMAIL PROTECTED]>
Changed-By: Martin Schulze <[EMAIL PROTECTED]>
Description: 
 cgilib     - Simple CGI Library
Closes: 162239 282334 291753 336524
Changes: 
 cgilib (0.6-1) unstable; urgency=low
 .
   * New upstream version
     . Declare some variables const (closes: Bug#162239)
     . Add CR to Content-type output (closes: Bug#282334)
     . Properly terminate buffer (closes: Bug#291753)
     . Decode CGI variable names (closes: Bug#336524)
   * Bumped Standards-Version
   * Enhanced copyright file
Files: 
 127a107db7bda6b7bbe460c35a1ea61b 513 web optional cgilib_0.6-1.dsc
 392f00a4ce90426606efcb6ce705fd75 25268 web optional cgilib_0.6.orig.tar.gz
 bfd02601d29335bc20a213c6700d42dd 5075 web optional cgilib_0.6-1.diff.gz
 64823380344895b4d3d4667b7efe1fcd 37766 web optional cgilib_0.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH+M+mW5ql+IAeqTIRAiI4AKChS2hQi+27RNVFPrLoEFnDkai8JQCghkdB
yoMxVh6klTHtaFkn23ExuDI=
=TKhj
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to