On Mon, Aug 15, 2022 at 10:54:57AM +0200, Omar Polo wrote:
> Agreed. Even if some operation failed we can still generate an error
> page; only after server_response_http things get trickier (headers are
> set, logging is done, ...) and just shutting down the reply is easier.
> (it also becomes a d
On 2022/08/15 10:13:07 +0200, Theo Buehler wrote:
> I think you should move the scandir() call to right before the for loop.
> This way the two goto fail before the for loop don't leak the namelist
> (one of these leaks was already there, the other one is added in your
> diff).
right, with the sk
On Mon, Aug 15, 2022 at 09:38:51AM +0200, Omar Polo wrote:
> On 2022/08/15 08:53:05 +0200, Theo Buehler wrote:
> > On Sun, Aug 14, 2022 at 11:15:16PM +0200, Omar Polo wrote:
> > > I was looking for something different when I stumbled upon this.
> > >
> > > - in server_file_index `escapedpath' is
On 2022/08/15 08:53:05 +0200, Theo Buehler wrote:
> On Sun, Aug 14, 2022 at 11:15:16PM +0200, Omar Polo wrote:
> > I was looking for something different when I stumbled upon this.
> >
> > - in server_file_index `escapedpath' is leaked if evbuffer_add_printf
> >fails, similarly the directory
On Sun, Aug 14, 2022 at 11:15:16PM +0200, Omar Polo wrote:
> I was looking for something different when I stumbled upon this.
>
> - in server_file_index `escapedpath' is leaked if evbuffer_add_printf
>fails, similarly the directory entries in the loop. `escapeduri'
>is also leaked if esc
I was looking for something different when I stumbled upon this.
- in server_file_index `escapedpath' is leaked if evbuffer_add_printf
fails, similarly the directory entries in the loop. `escapeduri'
is also leaked if escape_html fails.
- read_errdoc leaks a file descriptor if fstat fail