[lwip-devel] [bug #56197] HTTPD SSI handler does not handle character se

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #56197] HTTPD SSI handler does not handle character se

From:	Matthias Dietrich
Subject:	[lwip-devel] [bug #56197] HTTPD SSI handler does not handle character sequence /< properly
Date:	Tue, 23 Apr 2019 08:06:03 -0400 (EDT)
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

URL:
  <https://savannah.nongnu.org/bugs/?56197>

                 Summary: HTTPD SSI handler does not handle character sequence
/< properly
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: mdietrich
            Submitted on: Tue 23 Apr 2019 12:06:00 PM UTC
                Category: apps
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: Other

    _______________________________________________________

Details:

The httpd server supports two sets of SSI markers ('<!--#' and '/*#').
Unfortunately, the parsing function does not handle properly the case where a
character sequence starts with characters of one marker and continues with the
first character of another marker.

Example: <img src="images/<!--#PicDevice-->.png" />

When the parser hits the first '/' character, it changes its state from
TAG_NONE to TAG_LEADIN, as '/' could be the start of the '/*#' marker. The
parser then moves to the next character ('<'). The state machine now checks
whether this character ('<') matches the '/*#' marker. As this is not the
case, the state is switched back to TAG_NONE and the parser moves to the next
character ('!'). Unfortunenately, we have now lost the possibility of checking
whether '<' was the start of a marker.

Suggestion:
in the state "TAG_LEADIN", only move to the next character
in the stream when we have found a matching character,
otherwise just change the state back to TAG_NONE but do not
increase ssi->parsed. This allows to parse again the current character and
detect the start of another marker.







    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56197>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #56197] HTTPD SSI handler does not handle character sequence /< properly, Matthias Dietrich <=

Prev by Date: [lwip-devel] [bug #55607] MQTT assert when length of received message > MQTT_VAR_HEADER_BUFFER_LEN
Next by Date: [lwip-devel] [bug #56231] Include path issue with mbedtls build integration
Previous by thread: [lwip-devel] [bug #55607] MQTT assert when length of received message > MQTT_VAR_HEADER_BUFFER_LEN
Next by thread: [lwip-devel] [bug #56231] Include path issue with mbedtls build integration
Index(es):
- Date
- Thread