Avoid information leakage with badly formed download header
Parsing of Content-Disposition relies on well formed headers. A malformed header such as: Content-Disposition=""; will result in a strnduppayload->content_disp_name, -1, ptr), which will copy memory until it hits a \0. Prevent this by only copying the value if it exists. Fixes FS#73704. Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae
parent
632eb9739d
commit
40583ebe89
1 changed files with 5 additions and 2 deletions
|
|
@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
|
||||||
endptr--;
|
endptr--;
|
||||||
}
|
}
|
||||||
|
|
||||||
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
|
/* avoid information leakage with badly formed headers */
|
||||||
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
|
if(endptr > fptr) {
|
||||||
|
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
|
||||||
|
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue