[bug #56197] HTTPD SSI handler does not handle character sequence /< properly

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #56197] HTTPD SSI handler does not handle character sequence /< properly

Wilfred
URL:
  <https://savannah.nongnu.org/bugs/?56197>

                 Summary: HTTPD SSI handler does not handle character sequence
/< properly
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: mdietrich
            Submitted on: Tue 23 Apr 2019 12:06:00 PM UTC
                Category: apps
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: Other

    _______________________________________________________

Details:

The httpd server supports two sets of SSI markers ('<!--#' and '/*#').
Unfortunately, the parsing function does not handle properly the case where a
character sequence starts with characters of one marker and continues with the
first character of another marker.

Example: <img src="images/<!--#PicDevice-->.png" />

When the parser hits the first '/' character, it changes its state from
TAG_NONE to TAG_LEADIN, as '/' could be the start of the '/*#' marker. The
parser then moves to the next character ('<'). The state machine now checks
whether this character ('<') matches the '/*#' marker. As this is not the
case, the state is switched back to TAG_NONE and the parser moves to the next
character ('!'). Unfortunenately, we have now lost the possibility of checking
whether '<' was the start of a marker.

Suggestion:
in the state "TAG_LEADIN", only move to the next character
in the stream when we have found a matching character,
otherwise just change the state back to TAG_NONE but do not
increase ssi->parsed. This allows to parse again the current character and
detect the start of another marker.







    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56197>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56197] HTTPD SSI handler does not handle character sequence /< properly

Wilfred
Follow-up Comment #1, bug #56197 (project lwip):

Can you provide a (tested ;-) ) patch that works on your system?

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56197>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #56197] HTTPD SSI handler does not handle character sequence /< properly

Wilfred
Follow-up Comment #2, bug #56197 (project lwip):

Sure. Actually I could have sent a patch with the bug report, but the thing
is, I am not using the current HEAD version in my project right now, so I was
not sure how you want to proceed.
But yes, I can provide a patch.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?56197>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel