[bug-cgicc] std::string::iterator OOB bug in form

bug-cgicc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-cgicc] std::string::iterator OOB bug in form_urldecode

From:	Jim Hull
Subject:	[bug-cgicc] std::string::iterator OOB bug in form_urldecode
Date:	Mon, 5 Apr 2004 17:10:19 -0700 (PDT)

Hi,

Forgive me if someone has already reported this problem ...

My co-workers and I have come across an string::iterator oob problem
within the hex decoding portion of form_urldecode.

If a malformed hex number causes string::++ operator to abort due to
iterator extending past string::end(). Attached is a proposed fix I humbly
offer. Not only does the patch check that an out of boundary condition does
not exists, but it also verify that the digits following are hex control
characters as described by the HTML 1.1 spec on w3.org. When this
condition is not met (IE we don't get %[0-9a-fA-F][0-9a-fA-F]), the
default encoding of the '%' occurs.

Example:

a=blah% ... Behavior in 3.2.2 causes std::string to abort
a=blah% ... Patch behavior causes string to return 'blah%'

a=blah%zz ... Behavior in 3.2.2 causes std::string to return a wrapped number
a=blah%zz .. Patch behavior causes string to return 'blah%zz'

Near as I can tell, this is the best suited behavior that should happen,
also as a precedent, the patch provides the same behavior CGI.pm.

Thanks!

        Jim

CgiUtils-fix-iter-blowup.patch
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-cgicc] std::string::iterator OOB bug in form_urldecode, Jim Hull <=

Index(es):
- Date
- Thread