On Sun, May 12, 2002, Kreso <[EMAIL PROTECTED]> wrote:
> what is the status of php extension module in 3.1.19 w/PHP 4.1.2
> regarding this bug?
Probably not vulnerable in the same way. search.c is CGI specific.
However, mnogosearch has numerous places where it doesn't practice safe
or defensive coding leading to more buffer overflows than this.
The patch qitest1 supplied only fixes one of a couple of problems that
are identical to the problem he found.
Here's a quick patch I slapped together which should be better than the
patch qitest1 supplied. The patch is untested, but it does compile. It's
relative to a highly modified version of mnogosearch-3.1.19 so it'll
definately have some sort of fuzz, but it may not apply at all. I
haven't tried.
JE
diff -ur mnogosearch-3.1.19.orig/include/udm_utils.h
mnogosearch-3.1.19/include/udm_utils.h
--- mnogosearch-3.1.19.orig/include/udm_utils.h Wed Aug 22 06:24:49 2001
+++ mnogosearch-3.1.19/include/udm_utils.h Sat May 11 18:22:01 2002
@@ -35,8 +35,8 @@
extern char * UdmTrim(char * p, const char * delim);
extern char * UdmRTrim(char* p, const char * delim);
extern char * UdmHtmlSpecialChars(const char *str);
-extern char * UdmUnescapeCGIQuery(char *d,char *s);
-extern char * UdmEscapeURL(char *d,char *s);
+extern char * UdmUnescapeCGIQuery(char *d,int len,char *s);
+extern char * UdmEscapeURL(char *d,int len,char *s);
extern char * UdmRemove2Dot(char *path);
extern char * UdmBuildParamStr(char * dst,size_t len,const char * src,char **
argv,size_t argc);
extern char * UdmStrRemoveChars(char * str, const char * sep);
diff -ur mnogosearch-3.1.19.orig/src/indexer.c mnogosearch-3.1.19/src/indexer.c
--- mnogosearch-3.1.19.orig/src/indexer.c Sat May 11 18:29:36 2002
+++ mnogosearch-3.1.19/src/indexer.c Sat May 11 18:41:55 2002
@@ -1244,7 +1244,7 @@
if (strcmp(CurURL.filename,"robots.txt")||is_mp3||!CurSrv->check_only_mp3_tag){
char str[UDMSTRSIZ];
if(CurSrv->urlweight) {
- UdmUnescapeCGIQuery(str,Doc->url);
+ UdmUnescapeCGIQuery(str,sizeof(str),Doc->url);
UdmParseText(Indexer,CurSrv,str,CurSrv->urlweight,1);
} else {
if(CurSrv->urlhostweight) {
@@ -1252,11 +1252,11 @@
UdmParseText(Indexer,CurSrv,str,CurSrv->urlhostweight,1);
}
if(CurSrv->urlpathweight) {
- UdmUnescapeCGIQuery(str,CurURL.path);
+ UdmUnescapeCGIQuery(str,sizeof(str),CurURL.path);
UdmParseText(Indexer,CurSrv,str,CurSrv->urlpathweight,1);
}
if(CurSrv->urlfileweight) {
- UdmUnescapeCGIQuery(str,CurURL.filename);
+ UdmUnescapeCGIQuery(str,sizeof(str),CurURL.filename);
UdmParseText(Indexer,CurSrv,str,CurSrv->urlfileweight,1);
}
}
diff -ur mnogosearch-3.1.19.orig/src/proto.c mnogosearch-3.1.19/src/proto.c
--- mnogosearch-3.1.19.orig/src/proto.c Tue Aug 21 03:53:34 2001
+++ mnogosearch-3.1.19/src/proto.c Sat May 11 18:42:34 2002
@@ -904,7 +904,7 @@
}else{
strcpy(newfilename,filename);
}
- UdmUnescapeCGIQuery(openname,newfilename);
+ UdmUnescapeCGIQuery(openname,sizeof(openname),newfilename);
s=openname;
while(*s){
@@ -1048,7 +1048,7 @@
sscanf(header,"%s%s%s",command,filename,proto);
strcpy(newfilename,filename);
- UdmUnescapeCGIQuery(openname,newfilename);
+ UdmUnescapeCGIQuery(openname,sizeof(openname),newfilename);
/* Remember If-Modified-Since timestamp */
s=UdmGetToken(header,"\r\n",<);
diff -ur mnogosearch-3.1.19.orig/src/search.c mnogosearch-3.1.19/src/search.c
--- mnogosearch-3.1.19.orig/src/search.c Sat May 11 18:29:51 2002
+++ mnogosearch-3.1.19/src/search.c Sat May 11 18:13:55 2002
@@ -1413,8 +1413,8 @@
*/
if(!UDM_STRNCMP(token,"q=")){
char str[UDMSTRSIZ]="";
- query_words=strdup(UdmUnescapeCGIQuery(str,token+2));
- query_url_escaped=strdup(UdmEscapeURL(str,query_words));
+
+query_words=strdup(UdmUnescapeCGIQuery(str,sizeof(str),token+2));
+
+query_url_escaped=strdup(UdmEscapeURL(str,sizeof(str),query_words));
query_form_escaped=UdmHtmlSpecialChars(query_words);
}else
if(!UDM_STRNCMP(token,"tmplt=")){
@@ -1490,14 +1490,14 @@
/* (range) begin date */
db_s=UdmXmalloc(strlen(token+3)+1);
if (db_s)
- UdmUnescapeCGIQuery(db_s, token+3);
+ UdmUnescapeCGIQuery(db_s, strlen(token+3)+1, token+3);
}
else
if(!UDM_STRNCMP(token,"de=") && strlen(token) > 3){
/* (range) end date */
de_s=UdmXmalloc(strlen(token+3)+1);
if (de_s)
- UdmUnescapeCGIQuery(de_s, token+3);
+ UdmUnescapeCGIQuery(de_s, strlen(token+3)+1, token+3);
}
/* end of time limiting options */
else
@@ -1507,7 +1507,7 @@
#ifdef HAVE_FILES
use_autowild=0;
#endif
- UdmUnescapeCGIQuery(ul_unescaped,token+3);
+ UdmUnescapeCGIQuery(ul_unescaped,sizeof(ul_unescaped),token+3);
if(use_autowild){
UDM_URL Url;
UdmParseURL(&Url,ul_unescaped);
@@ -1529,7 +1529,7 @@
}else
if((!UDM_STRNCMP(token,"t="))&&(*(token+2))){
char str[UDMSTRSIZ]="";
- UdmUnescapeCGIQuery(str,token+2);
+ UdmUnescapeCGIQuery(str,sizeof(str),token+2);
UdmAddTagLimit(Indexer->Conf,str);
udm_snprintf(UDM_STREND(ul_str), sizeof(ul_str) -
strlen(ul_str), "&t=%s", token+2);
UDM_FREE(ttag);
diff -ur mnogosearch-3.1.19.orig/src/udmutils.c mnogosearch-3.1.19/src/udmutils.c
--- mnogosearch-3.1.19.orig/src/udmutils.c Mon Jul 16 04:04:09 2001
+++ mnogosearch-3.1.19/src/udmutils.c Sat May 11 18:45:30 2002
@@ -368,12 +368,13 @@
return res;
}
-char * UdmUnescapeCGIQuery(char *d,char *s){
+char * UdmUnescapeCGIQuery(char *d,int len,char *s){
int hi,lo=0;
char *dd;
+ len--; /* Account for null terminator */
if((d==NULL)||(s==NULL))return(0);
dd=d;
- while(*s){
+ while(*s && (d - dd) < len){
if(*s=='%'){
if(strchr("0123456789",*(++s))) hi=*s-'0';
else hi=*s-'A'+10;
@@ -391,12 +392,15 @@
*d=0;return(dd);
}
-char * UdmEscapeURL(char *d,char *s){
+char * UdmEscapeURL(char *d,int len,char *s){
char *dd;
+ len--; /* Account for null terminator */
if((d==NULL)||(s==NULL))return(0);
dd=d;
- while(*s){
+ while(*s && (d - dd) < len){
if(strchr("%&<>+[](){}/?#'\"\\;,",*s)){
+ if ((d - dd) + 2 >= len)
+ break;
sprintf(d,"%%%x",(int)*s);
*(d+1)=toupper(*(d+1));
*(d+2)=toupper(*(d+2));
___________________________________________
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]
