From: "René Scharfe" <l.s.r@web.de>
To: Matthew DeVore <matvore@google.com>, git@vger.kernel.org
Cc: jeffhost@microsoft.com, gitster@pobox.com, spearce@spearce.org,
jrn@google.com, Jeff King <peff@peff.net>
Subject: Re: [PATCH 2/2] url: do not allow %00 to represent NULL in URLs
Date: Tue, 4 Jun 2019 07:01:01 +0200 [thread overview]
Message-ID: <ca09cb2f-e376-1491-102d-0b06e49530a4@web.de> (raw)
In-Reply-To: <20190603204526.7723-3-matvore@google.com>
Am 03.06.19 um 22:45 schrieb Matthew DeVore:
> There is no reason to allow %00 to terminate a string, so do not allow it.
> Otherwise, we end up returning arbitrary content in the string (that which is
> after the %00) which is effectively hidden from callers and can escape sanity
> checks and validation, and possible be used in tandem with a security
> vulnerability to introduce a payload.
It's a bit hard to see with the (extended, but still) limited context,
but url_decode_internal() effectively returns a NUL-terminated string,
even though it does use a strbuf parameter named "out" for temporary
storage. So callers really have no use for decoded NULs, and this
change thus makes sense to me.
>
> Signed-off-by: Matthew DeVore <matvore@google.com>
> ---
> url.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/url.c b/url.c
> index c0bb4e23c3..cf791cb139 100644
> --- a/url.c
> +++ b/url.c
> @@ -41,21 +41,21 @@ static char *url_decode_internal(const char **query, int len,
> if (!c)
> break;
> if (stop_at && strchr(stop_at, c)) {
> q++;
> len--;
> break;
> }
>
> if (c == '%' && len >= 3) {
> int val = hex2chr(q + 1);
> - if (0 <= val) {
> + if (0 < val) {
> strbuf_addch(out, val);
> q += 3;
> len -= 3;
> continue;
> }
> }
>
> if (decode_plus && c == '+')
> strbuf_addch(out, ' ');
> else
>
next prev parent reply other threads:[~2019-06-04 5:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 20:45 [PATCH 0/2] Harden url.c URL-decoding logic Matthew DeVore
2019-06-03 20:45 ` [PATCH 1/2] url: do not read past end of buffer Matthew DeVore
2019-06-04 5:00 ` René Scharfe
2019-06-04 17:22 ` Matthew DeVore
2019-06-03 20:45 ` [PATCH 2/2] url: do not allow %00 to represent NULL in URLs Matthew DeVore
2019-06-04 1:02 ` brian m. carlson
2019-06-04 17:38 ` Matthew DeVore
2019-06-04 5:01 ` René Scharfe [this message]
2019-06-04 17:23 ` Matthew DeVore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca09cb2f-e376-1491-102d-0b06e49530a4@web.de \
--to=l.s.r@web.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jeffhost@microsoft.com \
--cc=jrn@google.com \
--cc=matvore@google.com \
--cc=peff@peff.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).