get-url debug option insecure

Machine-specific discussion
Unix, Linux, OS X, OS/2, Windows, ..?
Locked
kosh
Posts: 72
Joined: Sun Sep 13, 2009 5:38 am
Location: Japan
Contact:

get-url debug option insecure

Post by kosh »

Hi.

When url-encoded string to "get-url" is passed, the debug output is not correctly.
It happens because passing the url-encoded string directly to the varPrintf function argument.

Code: Select all

newLISP v.10.3.0 on BSD IPv4/6 UTF-8, execute 'newlisp -h' for more info.

> (get-url "http://localhost/%E6%97%A5%E6%9C%AC%E8%AA%9E.txt" "header debug")
HEAD /2.371515E-3226                                                                                                %A5-1.239576E-016   ・戟・0X1.45100BFBFB98CP-380C-1.246019E-0180X1.84038918P-1041A5.691031E-270.txt HTTP/1.1
Host: localhost
User-Agent: newLISP v10300
Connection: close

"Date: Sun, 19 Jun 2011 15:40:05 GMT\r\nServer: Apache/1.3.41 (Unix) mod_tsunami/3.0 mod_gzip/1.3.26.1a\r\nLast-Modified: Wed, 22 Oct 2003 02:25:04 GMT\r\nETag: \"35e800b-1de-3f95ea80;4d229c99\"\r\nAccept-Ranges: bytes\r\nContent-Length: 478\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n"
> 
Patch file is here:

Code: Select all

--- nl-web.c.orig	2011-06-20 00:19:52.000000000 +0900
+++ nl-web.c	2011-06-20 00:22:55.000000000 +0900
@@ -182,7 +182,7 @@
 vasprintf(&buffer, format, argptr); 
 
 result = send(sock, buffer, strlen(buffer), NO_FLAGS_SET);
-if(debug) varPrintf(OUT_CONSOLE, buffer);
+if(debug) varPrintf(OUT_CONSOLE, "%s", buffer);
 
 freeMemory(buffer);
 va_end(argptr);
@@ -446,14 +446,14 @@
 
 	if(transfer(sock, putPostStr, size) == SOCKET_ERROR) 
 		return(webError(ERROR_TRANSFER));
-	if(debugFlag) varPrintf(OUT_CONSOLE, putPostStr);
+	if(debugFlag) varPrintf(OUT_CONSOLE, "%s", putPostStr);
 	}
 else if(type == HTTP_POST)
 	{
 	sendf(sock, debugFlag, "Content-type: %s\r\nContent-length: %d\r\n\r\n", contentType, size);
 	if(transfer(sock, putPostStr, size) == SOCKET_ERROR) 
 		return(webError(ERROR_TRANSFER));
-	if(debugFlag) varPrintf(OUT_CONSOLE, putPostStr);
+	if(debugFlag) varPrintf(OUT_CONSOLE, "%s", putPostStr);
 	}
 else /* HTTP_GET, HTTP_DELETE */
 	sendf(sock, debugFlag, "\r\n");
@@ -1023,7 +1023,7 @@
 	close(getSocket(IOchannel));
 	}
 else 
-	varPrintf(OUT_CONSOLE, content);
+	varPrintf(OUT_CONSOLE, "%s", content);
 return;
 #endif
 #ifdef DEBUGHTTP

Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: get-url debug option insecure

Post by Lutz »

Thank you very much Kosh!

It's fixed here:

http://www.newlisp.org/downloads/develo ... nprogress/

kosh
Posts: 72
Joined: Sun Sep 13, 2009 5:38 am
Location: Japan
Contact:

Re: get-url debug option insecure

Post by kosh »

Thanks Lutz. fixed newlisp working fine :)

I found similar problem in 'get-url' with custom header.

Code: Select all

--- nl-web.orig.c	2011-07-12 01:48:20.000000000 +0900
+++ nl-web.c	2011-07-12 01:40:20.000000000 +0900
@@ -427,7 +427,7 @@
 
 /* send optional custom header entries */
 if (customHeader != NULL)
-    sendf(sock, debugFlag, customHeader);
+    sendf(sock, debugFlag, "%s", customHeader);
 else
 	{
 	sendf(sock, debugFlag, "User-Agent: newLISP v%d\r\n", version);
Regards.

Lutz
Posts: 5289
Joined: Thu Sep 26, 2002 4:45 pm
Location: Pasadena, California
Contact:

Re: get-url debug option insecure

Post by Lutz »

Thank you very much again Kosh!

Fixed here:

http://www.newlisp.org/downloads/develo ... nprogress/

Locked