diff options
| author |  John Keeping <john@keeping.me.uk> | 2013-04-02 03:03:34 (JST) |
|---|---|---|
| committer |  Jason A. Donenfeld <Jason@zx2c4.com> | 2013-04-08 22:59:46 (JST) |
| commit | b1f17f168b91d709c0c0e62608de301a36f06da9 (patch) | |
| tree | 9aff1fe903087cb5016ab2afdb32a7ca1cc139b2 /ui-shared.c | |
| parent | 4b4a62d507adc61e20e75e2748301ef307a6c95f (diff) | |
| download | cgit-b1f17f168b91d709c0c0e62608de301a36f06da9.zip cgit-b1f17f168b91d709c0c0e62608de301a36f06da9.tar.gz | |
Fix out-of-bounds memory accesses with virtual_root=""
The CGit configuration variable virtual_root is normalized so that it
does not have a trailing '/' character, but it is allowed to be empty
(the empty string and NULL have different meanings here) and there is
code that is insufficiently cautious when checking if it ends in a '/':
if (virtual_root[strlen(virtual_root) - 1] != '/')
Clearly this check is redundant, but rather than simply removing it we
get a slight efficiency improvement by switching the normalization so
that the virtual_root variable always ends in '/'. Do this with a new
"ensure_end" helper.
Signed-off-by: John Keeping <john@keeping.me.uk>
Diffstat (limited to 'ui-shared.c')
| -rw-r--r-- | ui-shared.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/ui-shared.c b/ui-shared.c index 945d560..c1f3c20 100644 --- a/ui-shared.c +++ b/ui-shared.c | |||
| @@ -57,7 +57,7 @@ const char *cgit_hosturl() | |||
| 57 | const char *cgit_rooturl() | 57 | const char *cgit_rooturl() |
| 58 | { | 58 | { |
| 59 | if (ctx.cfg.virtual_root) | 59 | if (ctx.cfg.virtual_root) |
| 60 | return fmt("%s/", ctx.cfg.virtual_root); | 60 | return ctx.cfg.virtual_root; |
| 61 | else | 61 | else |
| 62 | return ctx.cfg.script_name; | 62 | return ctx.cfg.script_name; |
| 63 | } | 63 | } |
| @@ -65,7 +65,7 @@ const char *cgit_rooturl() | |||
| 65 | char *cgit_repourl(const char *reponame) | 65 | char *cgit_repourl(const char *reponame) |
| 66 | { | 66 | { |
| 67 | if (ctx.cfg.virtual_root) { | 67 | if (ctx.cfg.virtual_root) { |
| 68 | return fmt("%s/%s/", ctx.cfg.virtual_root, reponame); | 68 | return fmt("%s%s/", ctx.cfg.virtual_root, reponame); |
| 69 | } else { | 69 | } else { |
| 70 | return fmt("?r=%s", reponame); | 70 | return fmt("?r=%s", reponame); |
| 71 | } | 71 | } |
| @@ -78,7 +78,7 @@ char *cgit_fileurl(const char *reponame, const char *pagename, | |||
| 78 | char *delim; | 78 | char *delim; |
| 79 | 79 | ||
| 80 | if (ctx.cfg.virtual_root) { | 80 | if (ctx.cfg.virtual_root) { |
| 81 | tmp = fmt("%s/%s/%s/%s", ctx.cfg.virtual_root, reponame, | 81 | tmp = fmt("%s%s/%s/%s", ctx.cfg.virtual_root, reponame, |
| 82 | pagename, (filename ? filename:"")); | 82 | pagename, (filename ? filename:"")); |
| 83 | delim = "?"; | 83 | delim = "?"; |
| 84 | } else { | 84 | } else { |
| @@ -126,11 +126,9 @@ static void site_url(const char *page, const char *search, const char *sort, int | |||
| 126 | { | 126 | { |
| 127 | char *delim = "?"; | 127 | char *delim = "?"; |
| 128 | 128 | ||
| 129 | if (ctx.cfg.virtual_root) { | 129 | if (ctx.cfg.virtual_root) |
| 130 | html_attr(ctx.cfg.virtual_root); | 130 | html_attr(ctx.cfg.virtual_root); |
| 131 | if (ctx.cfg.virtual_root[strlen(ctx.cfg.virtual_root) - 1] != '/') | 131 | else |
| 132 | html("/"); | ||
| 133 | } else | ||
| 134 | html(ctx.cfg.script_name); | 132 | html(ctx.cfg.script_name); |
| 135 | 133 | ||
| 136 | if (page) { | 134 | if (page) { |
| @@ -201,8 +199,6 @@ static char *repolink(const char *title, const char *class, const char *page, | |||
| 201 | html(" href='"); | 199 | html(" href='"); |
| 202 | if (ctx.cfg.virtual_root) { | 200 | if (ctx.cfg.virtual_root) { |
| 203 | html_url_path(ctx.cfg.virtual_root); | 201 | html_url_path(ctx.cfg.virtual_root); |
| 204 | if (ctx.cfg.virtual_root[strlen(ctx.cfg.virtual_root) - 1] != '/') | ||
| 205 | html("/"); | ||
| 206 | html_url_path(ctx.repo->url); | 202 | html_url_path(ctx.repo->url); |
| 207 | if (ctx.repo->url[strlen(ctx.repo->url) - 1] != '/') | 203 | if (ctx.repo->url[strlen(ctx.repo->url) - 1] != '/') |
| 208 | html("/"); | 204 | html("/"); |