In the inner while loop that validates each character of a POST parameter
value, the code checks *p via HTTP_IS_TOKEN() and HTTP_IS_LWS() instead
of *end, while the loop condition only advances "end", so only the first
character of each value is validated.
This means spaces or binary data embedded in parameter values after the
first character goes undetected. Fix by replacing both references to *p
with *end to properly scan through all characters as intended.
This bug was introduced in 1.5-dev20 by commit
98634f0c7 ("MEDIUM:
backend: Enhance hash-type directive with an algorithm options") so
the fix must be backported to all versions.
len -= plen + 1;
while (len && *end != '&') {
- if (unlikely(!HTTP_IS_TOKEN(*p))) {
+ if (unlikely(!HTTP_IS_TOKEN(*end))) {
/* if in a POST, body must be URI encoded or it's not a URI.
* Do not interpret any possible binary data as a parameter.
*/
- if (likely(HTTP_IS_LWS(*p))) /* eol, uncertain uri len */
+ if (likely(HTTP_IS_LWS(*end))) /* eol, uncertain uri len */
break;
return NULL; /* oh, no; this is not uri-encoded.
* This body does not contain parameters.
projects / thirdparty / haproxy.git / commitdiff
