eedd93f010
Tinyproxy commit 84f203f and earlier does not process HTTP request lines in the process_request() function and is using uninitialized buffers. This vulnerability allows attackers to access sensitive information at system runtime. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
From 3764b8551463b900b5b4e3ec0cd9bb9182191cb7 Mon Sep 17 00:00:00 2001
|
|
From: rofl0r <rofl0r@users.noreply.github.com>
|
|
Date: Thu, 8 Sep 2022 15:18:04 +0000
|
|
Subject: [PATCH] prevent junk from showing up in error page in invalid
|
|
requests
|
|
|
|
fixes #457
|
|
|
|
[Retrieved from:
|
|
https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
src/reqs.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/src/reqs.c b/src/reqs.c
|
|
index bce69819..45db118d 100644
|
|
--- a/src/reqs.c
|
|
+++ b/src/reqs.c
|
|
@@ -343,8 +343,12 @@ static struct request_s *process_request (struct conn_s *connptr,
|
|
goto fail;
|
|
}
|
|
|
|
+ /* zero-terminate the strings so they don't contain junk in error page */
|
|
+ request->method[0] = url[0] = request->protocol[0] = 0;
|
|
+
|
|
ret = sscanf (connptr->request_line, "%[^ ] %[^ ] %[^ ]",
|
|
request->method, url, request->protocol);
|
|
+
|
|
if (ret == 2 && !strcasecmp (request->method, "GET")) {
|
|
request->protocol[0] = 0;
|
|
|