> This code treats non-hex characters as zero, they should trigger an error.

"Be liberal in what you accept" :) If there's a problem with it, the base64 
decode or the DER parse will fail later.  If there's not a problem with it, 
then there.. is no problem.
 
> > +           if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
> > +               p = urldecode(p);
> 
> That '&&' should be '||'.  Is it OK to modify 'p' (aka inbuf) in place?

Ouch, you're right!  Yes, it's okay to modify it in-place
 
> > +   else if (!strncmp(inbuf, "POST", 4))
> 
> This and "GET" case above it should check for a space following "POST" or
> "GET".

The GET does do the checking because we have to parse the request line.  The 
POST doesn't bother because it's the message body that counts; the ocsp client 
code doesn't care about the request URI or version.  So I think it's okay 
as-is.  In theory someone could say "POSTER" and "fool" the code, but they'd 
only be fooling themselves. This isn't a general web server, it's only an OCSP 
responder, so if you don't send a valid OCSP request, it'll reject it anyway.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to