Hello list,
Here are several patches for uhttpd, one of which fixes several bugs in the
URL-encoding codecs (explained in the patch's message), and the others of which
enhance it as follows:
* The document-root is exposed to Lua
* uh_urlencode() is exposed to Lua.
* URL codecs: buffer-overflow and malformed-encoding are noticed and an error
condition is signaled rather than returning incorrect URL/paths.
* URL codecs: buffer-overflow and malformed-encoding raises an error in the Lua
versions.
Also I am including here a simple test-case to demonstrate some of the effects.
Enable the Lua module, point your lua_handler to it, and access any URL in the
Lua prefix to run it.
Cheers,
David
package/uhttpd/src/uhttpd-lua.c | 36 ++++++++++++++++++++++---
package/uhttpd/src/uhttpd-lua.h | 2 +-
package/uhttpd/src/uhttpd-utils.c | 52 +++++++++++++++++++++++++------------
package/uhttpd/src/uhttpd.c | 9 +++---
package/uhttpd/src/uhttpd.h | 2 +-
5 files changed, 73 insertions(+), 28 deletions(-)
test-uhttpd.lua:
-- Run a few tests on uhttpd
local send = uhttpd.send;
local function write(...) send( table.concat{...} ); end
local urlencode = uhttpd.urlencode;
if not urlencode
then
urlencode = function(str)
return ( str:gsub( "%W", function(x) return
string.format("%%%02X",string.byte(x)) end ) );
end
end
function handle_request( env )
write( "HTTP/1.1 200 OK\r\n",
"Content-Type: text/plain\r\n",
"\r\n" );
-- Check malformed URL-encoding (Lua interface):
local mfstrs = { "%0G", "%", "%0" };
for _,str in ipairs(mfstrs)
do
local st, res = pcall( uhttpd.urldecode, str );
if st
then
write( 'Malformed string "', str, '" decodes to: "', res, '"\n' );
else
write( 'Malformed string "', str, '" correctly raise error: ', res,
'\n' );
end
end
-- Show values of URL, etc.
write( "\n\nenv:\n" );
for k,v in pairs(env)
do
write( " ", k, " = ", tostring(v), "\n" );
end
write( "\n\nHeaders:\n" );
for k,v in pairs(env.headers)
do
write( " ", k, " = ", tostring(v), "\n" );
end
write( "\n" );
-- Check URL-encoding codecs for integrity, buffer-overflow, etc.
local lstr = '';
for i=1,4097
do
lstr = lstr .. string.char( math.random( 32, 126 ) );
local st, estr = pcall( urlencode, lstr );
if not st
then
write( "urlencode() raised error on string of length ", #lstr, ":
", estr or '', '\n' );
break;
end
local st, dstr = pcall( uhttpd.urldecode, estr );
if not st
then
write( "urldecode() raised error on string of length ", #lstr, " ->
", #estr, ": ", estr or '', '\n' );
break;
end
if lstr ~= dstr
then
write( "urlencode()/urldecode() mismatch on length ",
#lstr, " -> ", #dstr, "\n\n",
"Original string: ", lstr, "\n",
"Encoded string: ", estr, "\n",
"Decoded string: ", dstr, "\n\n" );
break;
end
end
end
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
