[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cks-devl] problem in cks_config.c
|
From: |
V Alex Brennen |
|
Subject: |
Re: [cks-devl] problem in cks_config.c |
|
Date: |
Fri, 14 Sep 2001 21:32:36 -0400 (EDT) |
Thanks Francisco. I went ahead and commited this. I'm trying
to push out a 0.0.6 release. I want to try and hurry things
along as much as possible due to the attacks in the US. I'm
worried my government may attempt to prevent me from working
on cryptography projects in the near future.
There's a security flaw in the cks that I'm working to
fix right now as well. The cks code currently allows
SQL injection. I'll put out a 0.0.6 when I have that
fixed. (CVS snapshot currently do not run.)
- VAB
On Fri, 14 Sep 2001, Francisco Jesus Monserrat Coll wrote:
>
>
> Hello,
>
> There is a small problem in the read_config function used
> to read the config file. The lines are read with fgets, so
> the last character ("\n") of the lines was copied to the
> buffer "line", but never deleted.
>
> One quick fix is change:
>
> name = (char *)strtok(line," ");
> value = (char *)strtok('\0',"\0");
>
> if(memcmp(name,"bind_ip",7) == 0)
> for
> name = (char *)strtok(line," ");
> value = (char *)strtok('\0',"\0");
> value[strlen(value)-1] = '\0' ;
>
> if(memcmp(name,"bind_ip",7) == 0)
>
> So we replace '\n' by '\0' fixing the problem.
>
> The patch is small:
>
> diff -uNr cks/src/cks_config.c cks.changes/src/cks_config.c
> --- cks/src/cks_config.c Tue Sep 4 06:47:08 2001
> +++ cks.changes/src/cks_config.c Fri Sep 14 02:59:26 2001
> @@ -51,6 +51,7 @@
>
> name = (char *)strtok(line," ");
> value = (char *)strtok('\0',"\0");
> + value[strlen(value)-1] = '\0' ;
>
> if(memcmp(name,"bind_ip",7) == 0)
> {
>
>
> I'm going to register a ssh public key for sending the patch to the
> CVS repository
>
>
> bye