diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2008-07-19 16:27:11 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2008-07-19 16:27:11 +0000 |
commit | 447df436fc1d6d788fc5d7ad245fae46c7f3732c (patch) | |
tree | a391a6b5963f1688f833b575a0de6fe0fff7eb3d | |
parent | 21b491c20bbe6456c14bba5c31df17cf65674e93 (diff) |
* luci/libs/http: fix a few corner cases which can lead to bugs in mime decoding, allow the message body to exceed Content-Length by two bytes (to ignore a possible trailing \r\n)
-rw-r--r-- | libs/http/luasrc/http/protocol.lua | 52 |
1 files changed, 25 insertions, 27 deletions
diff --git a/libs/http/luasrc/http/protocol.lua b/libs/http/luasrc/http/protocol.lua index 4cb89779be..1d01b15b1c 100644 --- a/libs/http/luasrc/http/protocol.lua +++ b/libs/http/luasrc/http/protocol.lua @@ -266,6 +266,12 @@ function mimedecode_message_body( src, msg, filecb ) end + local tlen = 0 + local inhdr = false + local field = nil + local store = nil + local lchunk = nil + local function parse_headers( chunk, field ) local stat @@ -294,24 +300,32 @@ function mimedecode_message_body( src, msg, filecb ) field.headers["Content-Type"] = "text/plain" end + if field.name and field.file and filecb then + __initval( msg.params, field.name ) + __appendval( msg.params, field.name, field.file ) + + store = filecb + elseif field.name then + __initval( msg.params, field.name ) + + store = function( hdr, buf, eof ) + __appendval( msg.params, field.name, buf ) + end + else + store = nil + end + return chunk, true end return chunk, false end - - local tlen = 0 - local inhdr = false - local field = nil - local store = nil - local lchunk = nil - local function snk( chunk ) tlen = tlen + ( chunk and #chunk or 0 ) - if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) then + if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) + 2 then return nil, "Message body size exceeds Content-Length" end @@ -338,9 +352,7 @@ function mimedecode_message_body( src, msg, filecb ) if not eof then return nil, "Invalid MIME section header" - end - - if not field.name then + elseif not field.name then return nil, "Invalid Content-Disposition header" end end @@ -355,29 +367,15 @@ function mimedecode_message_body( src, msg, filecb ) data, eof = parse_headers( data:sub( epos + 1, #data ), field ) inhdr = not eof - - if eof then - if field.file and filecb then - msg.params[field.name] = field.file - store = filecb - else - __initval( msg.params, field.name ) - - store = function( hdr, buf, eof ) - __appendval( msg.params, field.name, buf ) - end - end - end end until not spos - if found then if #data > 78 then lchunk = data:sub( #data - 78 + 1, #data ) data = data:sub( 1, #data - 78 ) - if store and field and field.name then + if store then store( field.headers, data, false ) else return nil, "Invalid MIME section header" @@ -413,7 +411,7 @@ function urldecode_message_body( src, msg ) tlen = tlen + ( chunk and #chunk or 0 ) - if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) then + if msg.env.CONTENT_LENGTH and tlen > tonumber(msg.env.CONTENT_LENGTH) + 2 then return nil, "Message body size exceeds Content-Length" elseif tlen > HTTP_MAX_CONTENT then return nil, "Message body size exceeds maximum allowed length" |