On Sat, Sep 12, 2009 at 10:43:29PM +0200, Stefan Fritsch wrote:
> On Fri, 11 Sep 2009, Joe Orton wrote:
>> + char *p = ap_strchr(reply, '('), *ep, *term;
>> + long port;
>> +
>> + /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
>> + * can be any character in ASCII from 33-126, obscurely. Verify
>> + * the syntax. */
>> + if (p == NULL || p[1] != p[2] || p[1] != p[3]
>> + || (ep = strchr(p + 4, ')')) == NULL
>> + || ep == p + 4 || ep[-1] != p[1]) {
>> + return 0;
>> + }
>
> Shouldn't you also check for p[1] != 0 before p[1] != p[2], to catch the
> case where reply ends after the opening bracket?
Yes indeed! Thanks a lot. I've rewritten that code slightly, tested
again, and committed here:
http://svn.apache.org/viewvc?view=rev&revision=814652
I've not touched the PASV code in that commit, since there doesn't seem
to be a security issue there, ugly as the code is.
Regards, Joe
