summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2008-07-19 16:27:11 +0000
committerJo-Philipp Wich <jow@openwrt.org>2008-07-19 16:27:11 +0000
commit447df436fc1d6d788fc5d7ad245fae46c7f3732c (patch)
treea391a6b5963f1688f833b575a0de6fe0fff7eb3d
parent21b491c20bbe6456c14bba5c31df17cf65674e93 (diff)
* luci/libs/http: fix a few corner cases which can lead to bugs in mime decoding, allow the message body to exceed Content-Length by two bytes (to ignore a possible trailing \r\n)
-rw-r--r--libs/http/luasrc/http/protocol.lua52
1 files changed, 25 insertions, 27 deletions
diff --git a/libs/http/luasrc/http/protocol.lua b/libs/http/luasrc/http/protocol.lua
index 4cb89779be..1d01b15b1c 100644
--- a/libs/http/luasrc/http/protocol.lua
+++ b/libs/http/luasrc/http/protocol.lua
@@ -266,6 +266,12 @@ function mimedecode_message_body( src, msg, filecb )
end
+ local tlen = 0
+ local inhdr = false
+ local field = nil
+ local store = nil
+ local lchunk = nil
+
local function parse_headers( chunk, field )
local stat
@@ -294,24 +300,32 @@ function mimedecode_message_body( src, msg, filecb )
field.headers["Content-Type"] = "text/plain"
end
+ if field.name and field.file and filecb then
+ __initval( msg.params, field.name )
+ __appendval( msg.params, field.name, field.file )
+
+ store = filecb
+ elseif field.name then
+ __initval( msg.params, field.name )
+
+ store = function( hdr, buf, eof )
+ __appendval( msg.params, field.name, buf )
+ end
+ else
+ store = nil
+ end
+
return chunk, true
end
return chunk, false
end
-
- local tlen = 0
- local inhdr = false
- local field = nil
- local store = nil
- local lchunk = nil
-
local function snk( chunk )
tlen = tlen + ( chunk and #chunk or 0 )
- if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) then
+ if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) + 2 then
return nil, "Message body size exceeds Content-Length"
end
@@ -338,9 +352,7 @@ function mimedecode_message_body( src, msg, filecb )
if not eof then
return nil, "Invalid MIME section header"
- end
-
- if not field.name then
+ elseif not field.name then
return nil, "Invalid Content-Disposition header"
end
end
@@ -355,29 +367,15 @@ function mimedecode_message_body( src, msg, filecb )
data, eof = parse_headers( data:sub( epos + 1, #data ), field )
inhdr = not eof
-
- if eof then
- if field.file and filecb then
- msg.params[field.name] = field.file
- store = filecb
- else
- __initval( msg.params, field.name )
-
- store = function( hdr, buf, eof )
- __appendval( msg.params, field.name, buf )
- end
- end
- end
end
until not spos
-
if found then
if #data > 78 then
lchunk = data:sub( #data - 78 + 1, #data )
data = data:sub( 1, #data - 78 )
- if store and field and field.name then
+ if store then
store( field.headers, data, false )
else
return nil, "Invalid MIME section header"
@@ -413,7 +411,7 @@ function urldecode_message_body( src, msg )
tlen = tlen + ( chunk and #chunk or 0 )
- if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) then
+ if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) + 2 then
return nil, "Message body size exceeds Content-Length"
elseif tlen > HTTP_MAX_CONTENT then
return nil, "Message body size exceeds maximum allowed length"