From 6f56f8dd0eb12ffc1ed23e9e62751c04854f9a74 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 28 Aug 2011 00:00:06 -0600
Subject: [PATCH] Bug 3295: broken escaping in rfc1738_do_escape

---
 lib/rfc1738.c | 35 ++++++++++++++++-------------------
 1 file changed, 16 insertions(+), 19 deletions(-)

diff --git a/lib/rfc1738.c b/lib/rfc1738.c
index 834410889e..80234832c1 100644
--- a/lib/rfc1738.c
+++ b/lib/rfc1738.c
@@ -87,8 +87,8 @@ rfc1738_do_escape(const char *url, int flags)
 {
     static char *buf;
     static size_t bufsize = 0;
-    const char *p;
-    char *q;
+    const char *src;
+    char *dst;
     unsigned int i, do_escape;
 
     if (buf == NULL || strlen(url) * 3 > bufsize) {
@@ -96,11 +96,11 @@ rfc1738_do_escape(const char *url, int flags)
         bufsize = strlen(url) * 3 + 1;
         buf = (char*)xcalloc(bufsize, 1);
     }
-    for (p = url, q = buf; *p != '\0' && q < (buf + bufsize - 1); p++, q++) {
+    for (src = url, dst = buf; *src != '\0' && dst < (buf + bufsize - 1); src++, dst++) {
 
         /* a-z, A-Z and 0-9 are SAFE. */
-        if ((*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z') || (*p >= '0' && *p <= '9')) {
-            *q = *p;
+        if ((*src >= 'a' && *src <= 'z') || (*src >= 'A' && *src <= 'Z') || (*src >= '0' && *src <= '9')) {
+            *dst = *src;
             continue;
         }
 
@@ -109,22 +109,22 @@ rfc1738_do_escape(const char *url, int flags)
         /* RFC 1738 defines these chars as unsafe */
         if ((flags & RFC1738_ESCAPE_UNSAFE)) {
             for (i = 0; i < sizeof(rfc1738_unsafe_chars); i++) {
-                if (*p == rfc1738_unsafe_chars[i]) {
+                if (*src == rfc1738_unsafe_chars[i]) {
                     do_escape = 1;
                     break;
                 }
             }
             /* Handle % separately */
-            if (!(flags & RFC1738_ESCAPE_NOPERCENT) && *p == '%')
+            if (!(flags & RFC1738_ESCAPE_NOPERCENT) && *src == '%')
                 do_escape = 1;
             /* Handle space separately */
-            else if (!(flags & RFC1738_ESCAPE_NOSPACE) && *p <= ' ')
+            else if (!(flags & RFC1738_ESCAPE_NOSPACE) && *src <= ' ')
                 do_escape = 1;
         }
         /* RFC 1738 defines these chars as reserved */
         if ((flags & RFC1738_ESCAPE_RESERVED) && do_escape == 0) {
             for (i = 0; i < sizeof(rfc1738_reserved_chars); i++) {
-                if (*p == rfc1738_reserved_chars[i]) {
+                if (*src == rfc1738_reserved_chars[i]) {
                     do_escape = 1;
                     break;
                 }
@@ -132,27 +132,24 @@ rfc1738_do_escape(const char *url, int flags)
         }
         if ((flags & RFC1738_ESCAPE_CTRLS) && do_escape == 0) {
             /* RFC 1738 says any control chars (0x00-0x1F) are encoded */
-            if ((unsigned char) *p <= (unsigned char) 0x1F)
+            if ((unsigned char) *src <= (unsigned char) 0x1F)
                 do_escape = 1;
             /* RFC 1738 says 0x7f is encoded */
-            else if (*p == (char) 0x7F)
+            else if (*src == (char) 0x7F)
                 do_escape = 1;
             /* RFC 1738 says any non-US-ASCII are encoded */
-            else if (((unsigned char) *p >= (unsigned char) 0x80))
+            else if (((unsigned char) *src >= (unsigned char) 0x80))
                 do_escape = 1;
         }
         /* Do the triplet encoding, or just copy the char */
-        /* note: we do not need snprintf here as q is appropriately
-         * allocated - KA */
-
         if (do_escape == 1) {
-            (void) snprintf(q, (bufsize-(p-buf)), "%%%02X", (unsigned char) *p);
-            q += sizeof(char) * 2;
+            (void) snprintf(dst, (bufsize-(dst-buf)), "%%%02X", (unsigned char) *src);
+            dst += sizeof(char) * 2;
         } else {
-            *q = *p;
+            *dst = *src;
         }
     }
-    *q = '\0';
+    *dst = '\0';
     return (buf);
 }
 
-- 
2.47.2