Summary: HTTPD SSI handler does not handle character sequence
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: mdietrich
Submitted on: Tue 23 Apr 2019 12:06:00 PM UTC
Severity: 3 - Normal
Item Group: Faulty Behaviour
Assigned to: None
Discussion Lock: Any
Planned Release: None
lwIP version: Other
The httpd server supports two sets of SSI markers ('<!--#' and '/*#').
Unfortunately, the parsing function does not handle properly the case where a
character sequence starts with characters of one marker and continues with the
first character of another marker.
When the parser hits the first '/' character, it changes its state from
TAG_NONE to TAG_LEADIN, as '/' could be the start of the '/*#' marker. The
parser then moves to the next character ('<'). The state machine now checks
whether this character ('<') matches the '/*#' marker. As this is not the
case, the state is switched back to TAG_NONE and the parser moves to the next
character ('!'). Unfortunenately, we have now lost the possibility of checking
whether '<' was the start of a marker.
in the state "TAG_LEADIN", only move to the next character
in the stream when we have found a matching character,
otherwise just change the state back to TAG_NONE but do not
increase ssi->parsed. This allows to parse again the current character and
detect the start of another marker.
[bug #56197] HTTPD SSI handler does not handle character sequence /< properly
Follow-up Comment #2, bug #56197 (project lwip):
Sure. Actually I could have sent a patch with the bug report, but the thing
is, I am not using the current HEAD version in my project right now, so I was
not sure how you want to proceed.
But yes, I can provide a patch.