Hello all,
memcached uses libevent, and I've been working recently on a web-based
debugging console as part of it. Since memcached already used libevent for
socket notifications, I figured that evhttp would make it easy to add a
web-based interface to it. Which it did.
In doing this though, I found a few serious bugs in evhttp_parse_query()
that make me wonder if anyone is actually using libevent/http for anything
serious.
Of course, I may be completely miss-understanding how these functions are
supposed to be used, but a lack of documentation found anywhere has caused
me to look at the code to figure out how to use it.
The first bit that piqued my interest was in the comment before the
evhttp_parse_query code.
/*
> * Helper function to parse out arguments in a query.
> * The arguments are separated by key and value.
> * URI should already be decoded.
> */
>
This seems to be markedly wrong. You should not decode the entire URI
query string in one go. You need to parse out the key/value pairs and then
decode the key and value bits.
For example.... if you have a query with parameters like this:
?username=frank&password=secret
The existing code works alright, but what if the persons password was
se&cret?
Anyway, assuming the developer did or didn't already decode the query
string, we get to the evhttp_parse_query function, which will first find the
'?', and then basically split the string using '&' as a delimeter. Each
key/value pair is split on the '=' so that you get seperate key and value.
So if we supply a query of '?username=frank&password=secret', you get the
the following pairs:
> username=frank
> password=secret
>
But what if frank used 'se&cret' as a password? The browser would actually
send '?username=frank&password=se#38cret', but since we are supposed to
decode the entire query string before we parse out the params, then we end
up actually processing '?username=frank&password=se&cret'. Since we
seperate the pairs by splitting on string on '&', we end up with:
username=frank
password=se
cret
Which is entirely not what we wanted. But anyway, that is not really a bug
in the event code, but an incorrect comment. The only real example of code
on how to use this function followed the instructions though, and did decode
the entire query string before parsing it.
Inside the function, we see that before the key and value is added to the
'headers' structure, we see that the value is then decoded, which is correct
(although I would say the key should be decoded then too).
> value = evhttp_decode_uri(value);
>
Which is where we get to the first major bug.
evhttp_decode_uri assumes that you are decoding an entire query string which
includes a '?', but we can see here that it is being used to decode only a
portion of the query string, just a value part.
if (c == '?') {
in_query = 1;
} else if (c == '+' && in_query) {
c = ' ';
--
"Be excellent to each other"
_______________________________________________
Libevent-users mailing list
Libevent-users@monkey.org
http://monkeymail.org/mailman/listinfo/libevent-users
