[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-cgicc] Error in cgicc::form_urldecode
From: |
axolotl |
Subject: |
[bug-cgicc] Error in cgicc::form_urldecode |
Date: |
Wed, 30 Aug 2006 00:13:38 +0200 |
User-agent: |
Thunderbird 1.5.0.5 (X11/20060812) |
There is an error in cgicc::form_urldecode.
When retrieving the two characters after a % sign, there is a
verification that the distance to the end is >= 2. But in the case it is
== 2, *(it + 2) is end() and so there is no valid character available.
The simple correction is to replace >= by >. A patch is attached.
I don't know if this is exploitable, I did not try.
Regards.
Julien BERNARD
PS: please cc me if you answer to this mail, I'm not on the list.
--- CgiUtils.cpp 2004-06-12 17:24:31.000000000 +0200
+++ CgiUtils.cpp.new 2006-08-30 00:06:39.000000000 +0200
@@ -182,11 +182,11 @@
case '+':
result.append(1, ' ');
break;
case '%':
// Don't assume well-formed input
- if(std::distance(iter, src.end()) >= 2
+ if(std::distance(iter, src.end()) > 2
&& std::isxdigit(*(iter + 1)) && std::isxdigit(*(iter + 2))) {
c = *++iter;
result.append(1, hexToChar(c, *++iter));
}
// Just pass the % through untouched
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-cgicc] Error in cgicc::form_urldecode,
axolotl <=