yanivnizry / mongoose

Automatically exported from code.google.com/p/mongoose
MIT License
0 stars 0 forks source link

Random characters at the end of PATH_INFO #327

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

1. CGI script exists at /script.cgi
2. Repeatedly query URLs containing the CGI script, e.g /script.cgi/test.html
3. Actual PATH_INFO given to the script may end in garbage

What is the expected output? What do you see instead?

Expect PATH_INFO to be set to "/test.html".  Instead, it may end in random 
characters such as "/test.htmlimages/titleBar.png".

What version of the product are you using? On what operating system?

Mongoose version 3.1 on linux

Please provide any additional information below.

In mongoose.c convert_uri_to_filename(), the null terminator needs to be copied 
along with the path_info string.  The following patch seems to fix it:

@@ -1596,7 +1596,7 @@
                          strlen(conn->ctx->config[CGI_EXTENSIONS]), buf) > 0 &&
             (stat_result = mg_stat(buf, st)) == 0) {
           conn->path_info = p + 1;
-          memmove(p + 2, p + 1, strlen(p + 1));
+          memmove(p + 2, p + 1, strlen(p + 1) + 1);
           p[1] = '/';
           break;
         } else {

Original issue reported on code.google.com by Brian.Ha...@gmail.com on 14 Mar 2012 at 8:47

GoogleCodeExporter commented 8 years ago
Submitted 
http://code.google.com/p/mongoose/source/detail?r=d8b453b2bbb7bcf581d51fb79e5ec0
ad670a123e, thank you

Original comment by valenok on 23 Mar 2012 at 7:38