[bug-cgicc] Error in cgicc::form

bug-cgicc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-cgicc] Error in cgicc::form_urldecode

From:	axolotl
Subject:	[bug-cgicc] Error in cgicc::form_urldecode
Date:	Wed, 30 Aug 2006 00:13:38 +0200
User-agent:	Thunderbird 1.5.0.5 (X11/20060812)

There is an error in cgicc::form_urldecode.

When retrieving the two characters after a % sign, there is a
verification that the distance to the end is >= 2. But in the case it is
== 2, *(it + 2) is end() and so there is no valid character available.
The simple correction is to replace >= by >. A patch is attached.

I don't know if this is exploitable, I did not try.

Regards.

Julien BERNARD

PS: please cc me if you answer to this mail, I'm not on the list.

--- CgiUtils.cpp        2004-06-12 17:24:31.000000000 +0200
+++ CgiUtils.cpp.new    2006-08-30 00:06:39.000000000 +0200
@@ -182,11 +182,11 @@
     case '+':
       result.append(1, ' ');
       break;
     case '%':
        // Don't assume well-formed input
-       if(std::distance(iter, src.end()) >= 2
+       if(std::distance(iter, src.end()) > 2
           && std::isxdigit(*(iter + 1)) && std::isxdigit(*(iter + 2))) {
            c = *++iter;
            result.append(1, hexToChar(c, *++iter));
        }
        // Just pass the % through untouched

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-cgicc] Error in cgicc::form_urldecode, axolotl <=

Prev by Date: [bug-cgicc] cgicc bug?
Previous by thread: [bug-cgicc] cgicc bug?
Index(es):
- Date
- Thread