Hello all, memcached uses libevent, and I've been working recently on a web-based debugging console as part of it. Since memcached already used libevent for socket notifications, I figured that evhttp would make it easy to add a web-based interface to it. Which it did.
In doing this though, I found a few serious bugs in evhttp_parse_query() that make me wonder if anyone is actually using libevent/http for anything serious. Of course, I may be completely miss-understanding how these functions are supposed to be used, but a lack of documentation found anywhere has caused me to look at the code to figure out how to use it. The first bit that piqued my interest was in the comment before the evhttp_parse_query code. /* > * Helper function to parse out arguments in a query. > * The arguments are separated by key and value. > * URI should already be decoded. > */ > This seems to be markedly wrong. You should not decode the entire URI query string in one go. You need to parse out the key/value pairs and then decode the key and value bits. For example.... if you have a query with parameters like this: ?username=frank&password=secret The existing code works alright, but what if the persons password was se&cret? Anyway, assuming the developer did or didn't already decode the query string, we get to the evhttp_parse_query function, which will first find the '?', and then basically split the string using '&' as a delimeter. Each key/value pair is split on the '=' so that you get seperate key and value. So if we supply a query of '?username=frank&password=secret', you get the the following pairs: > username=frank > password=secret > But what if frank used 'se&cret' as a password? The browser would actually send '?username=frank&password=se#38cret', but since we are supposed to decode the entire query string before we parse out the params, then we end up actually processing '?username=frank&password=se&cret'. Since we seperate the pairs by splitting on string on '&', we end up with: username=frank password=se cret Which is entirely not what we wanted. But anyway, that is not really a bug in the event code, but an incorrect comment. The only real example of code on how to use this function followed the instructions though, and did decode the entire query string before parsing it. Inside the function, we see that before the key and value is added to the 'headers' structure, we see that the value is then decoded, which is correct (although I would say the key should be decoded then too). > value = evhttp_decode_uri(value); > Which is where we get to the first major bug. evhttp_decode_uri assumes that you are decoding an entire query string which includes a '?', but we can see here that it is being used to decode only a portion of the query string, just a value part. if (c == '?') { in_query = 1; } else if (c == '+' && in_query) { c = ' '; -- "Be excellent to each other"
_______________________________________________ Libevent-users mailing list Libevent-users@monkey.org http://monkeymail.org/mailman/listinfo/libevent-users