[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-cgicc] [resed] malformed input cause form_urldecode to consume too
|
From: |
ruiheng fine |
|
Subject: |
[bug-cgicc] [resed] malformed input cause form_urldecode to consume too many memory |
|
Date: |
Tue, 05 Aug 2003 16:49:27 +0000 |
(I had try to send this email using address@hidden, but i seems that the
mail never reach.)
Hi all,
the code of form_urldecode is quite simple:
std::string
cgicc::form_urldecode(const std::string& src)
{
std::string result;
std::string::const_iterator iter;
char c;
for(iter = src.begin(); iter != src.end(); ++iter) {
switch(*iter) {
case '+':
result.append(1, ' ');
break;
case '%':
// assume well-formed input
c = *++iter;
result.append(1, hexToChar(c, *++iter));
break;
default:
result.append(1, *iter);
break;
}
}
return result;
}
Obviously, the author of this function assumes (incorrectly) that the
input is well-formed. If the query string is something like this:
a=%
then the loop will never end, which makes the program consume all available
memory.
This is a serious bug and it exists for a long time. Anyone program using
cgicc library is vulnerable. And what is very strange is that the author
knows that!! Maybe he planned to fix it some time later but forget it.
Please fix it ASAP.
PS: The workaround I am using now is that, change the two problem lines to:
if (distance(iter, src.end())>=2) {
c = *++iter;
result.append(1, hexToChar(c, *++iter));
}
else {
result.append(1, '%');
}
Gilbert Fine
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-cgicc] [resed] malformed input cause form_urldecode to consume too many memory,
ruiheng fine <=