> This code treats non-hex characters as zero, they should trigger an error.
"Be liberal in what you accept" :) If there's a problem with it, the base64 decode or the DER parse will fail later. If there's not a problem with it, then there.. is no problem. > > + if (strchr(p, '+') != NULL && strchr(p, '%') != NULL) > > + p = urldecode(p); > > That '&&' should be '||'. Is it OK to modify 'p' (aka inbuf) in place? Ouch, you're right! Yes, it's okay to modify it in-place > > + else if (!strncmp(inbuf, "POST", 4)) > > This and "GET" case above it should check for a space following "POST" or > "GET". The GET does do the checking because we have to parse the request line. The POST doesn't bother because it's the message body that counts; the ocsp client code doesn't care about the request URI or version. So I think it's okay as-is. In theory someone could say "POSTER" and "fool" the code, but they'd only be fooling themselves. This isn't a general web server, it's only an OCSP responder, so if you don't send a valid OCSP request, it'll reject it anyway. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
