mirror/motion
1
0
Fork 0
mirror of https://github.com/Motion-Project/motion.git synced 2026-06-12 07:44:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix security hole

Browse Source
This commit is contained in:
AngelCarpintero
2008-06-06 06:53:09 +00:00
parent db44c5b046
commit d68a2f63ee
1 changed files with 14 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
webhttpd.c
View File

@@ -10,10 +10,7 @@
* See also the file 'COPYING'.
*
*/
//#include "motion.h"
#include "webhttpd.h" /* already includes motion.h */
//#include <sys/types.h>
//#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
@@ -353,7 +350,7 @@ static unsigned short int config(char *pointer, char *res, unsigned short int le
unsigned short int i;
struct context **cnt = userdata;
warningkill = sscanf (pointer, "%256[a-z]%c", command , &question);
warningkill = sscanf (pointer, "%255[a-z]%c", command , &question);
if (!strcmp(command,"list")) {
pointer = pointer + 4;
length_uri = length_uri - 4;
@@ -462,7 +459,7 @@ static unsigned short int config(char *pointer, char *res, unsigned short int le
if ((length_uri != 0) && (question == '?')) {
pointer++;
length_uri--;
warningkill = sscanf(pointer,"%256[-0-9a-z_]%c", command, &question);
warningkill = sscanf(pointer,"%255[-0-9a-z_]%c", command, &question);
/*check command , question == '=' length_uri too*/
if ((question == '=') && (command[0]!='\0')) {
length_uri = length_uri - strlen(command) - 1;
@@ -483,7 +480,7 @@ static unsigned short int config(char *pointer, char *res, unsigned short int le
if (config_params[i].param_name) {
if (length_uri > 0) {
char Value[1024]={'\0'};
warningkill = sscanf(pointer,"%1024s", Value);
warningkill = sscanf(pointer,"%1023s", Value);
length_uri = length_uri - strlen(Value);
if ( (length_uri == 0) && (strlen(Value) > 0) ) {
/* FIXME need to assure that is a valid value */
@@ -697,12 +694,12 @@ static unsigned short int config(char *pointer, char *res, unsigned short int le
/* 8 -> query=param_name FIXME minimum length param_name */
pointer++;
length_uri--;
warningkill = sscanf(pointer,"%256[-0-9a-z]%c", command, &question);
warningkill = sscanf(pointer,"%255[-0-9a-z]%c", command, &question);
if ( (question == '=') && (!strcmp(command,"query")) ) {
pointer = pointer + 6;
length_uri = length_uri - 6;
warningkill = sscanf(pointer, "%256[-0-9a-z_]", command);
warningkill = sscanf(pointer, "%255[-0-9a-z_]", command);
/*check if command exist, length_uri too*/
length_uri = length_uri-strlen(command);
@@ -887,7 +884,7 @@ static unsigned short int action(char *pointer, char *res, unsigned short int le
struct context **cnt = userdata;
unsigned short int i = 0;
warningkill = sscanf (pointer, "%256[a-z]" , command);
warningkill = sscanf (pointer, "%255[a-z]" , command);
if (!strcmp(command,"makemovie")) {
pointer = pointer + 9;
length_uri = length_uri - 9;
@@ -1064,7 +1061,7 @@ static unsigned short int detection(char *pointer, char *res, unsigned short int
struct context **cnt=userdata;
unsigned short int i = 0;
warningkill = sscanf (pointer, "%256[a-z]" , command);
warningkill = sscanf (pointer, "%255[a-z]" , command);
if (!strcmp(command,"status")) {
pointer = pointer + 6;
length_uri = length_uri - 6;
@@ -1227,7 +1224,7 @@ static unsigned short int track(char *pointer, char *res, unsigned short int len
char command[256] = {'\0'};
struct context **cnt = userdata;
warningkill = sscanf(pointer, "%256[a-z]%c", command, &question);
warningkill = sscanf(pointer, "%255[a-z]%c", command, &question);
if (!strcmp(command, "set")) {
pointer=pointer+3;length_uri=length_uri-3;
/* FIXME need to check each value */
@@ -1246,7 +1243,7 @@ static unsigned short int track(char *pointer, char *res, unsigned short int len
/* set?x=value&y=value */
/* pan= or x= | tilt= or y= */
warningkill = sscanf (pointer, "%256[a-z]%c" , command, &question);
warningkill = sscanf (pointer, "%255[a-z]%c" , command, &question);
if (( question != '=' ) || (command[0] == '\0')) {
/* no valid syntax */
@@ -1466,7 +1463,7 @@ static unsigned short int track(char *pointer, char *res, unsigned short int len
/* Check Second parameter */
warningkill = sscanf (pointer, "%c%256[a-z]" ,&question, command);
warningkill = sscanf (pointer, "%c%255[a-z]" ,&question, command);
if ( ( question != '&' ) || (command[0] == '\0') ){
motion_log(LOG_WARNING, 0, "httpd debug race 4");
if ( strstr(pointer,"&")){
@@ -1755,11 +1752,11 @@ static unsigned short int track(char *pointer, char *res, unsigned short int len
length_uri--;
/* value= */
warningkill = sscanf (pointer, "%256[a-z]%c",query,&question);
warningkill = sscanf (pointer, "%255[a-z]%c",query,&question);
if ((question == '=') && (!strcmp(query,"value")) ) {
pointer = pointer + 6;
length_uri = length_uri - 6;
warningkill = sscanf (pointer, "%256[-0-9a-z]" , command);
warningkill = sscanf (pointer, "%255[-0-9a-z]" , command);
if ((command!=NULL) && (strlen(command) > 0)) {
struct context *autocnt;
@@ -1926,7 +1923,7 @@ static unsigned short int handle_get(int client_socket, const char* url, void *u
}
if (length_uri!=0) {
warningkill = sscanf (pointer, "%256[a-z]%c" , command , &slash);
warningkill = sscanf (pointer, "%255[a-z]%c" , command , &slash);
/* config */
if (!strcmp(command,"config")) {
@@ -2135,7 +2132,7 @@ static unsigned short int read_client(int client_socket, void *userdata, char *a
unsigned short int alive = 1;
unsigned short int ret = 1;
char buffer[1024] = {'\0'};
unsigned short int length = 1024;
unsigned short int length = 1023;
struct context **cnt = userdata;
/* lock the mutex */