File kvirc-ctcp_vul.diff of Package kvirc
Index: ChangeLog
===================================================================
--- ChangeLog (revision 4696)
+++ ChangeLog (revision 4697)
@@ -1,5 +1,13 @@
-May 2007 - August 2008
+Jul 2010
+ [CtrlAltCa]
+ - backported fix for #858
+
+Jun 2010
[KVIrc Development Team]
+ - Since KVIrc 4 is out now, development on the 3.x branch is deprecated. Only fixes for big security issues are going to be backported.
+
+May 2007 - Jun 2010
+ [KVIrc Development Team]
- A lot of changes documented in the svn log. See http://svn.kvirc.de/kvirc/ for the timeline.
02 May 2007
Index: src/modules/dcc/requests.cpp
===================================================================
--- src/modules/dcc/requests.cpp (revision 4694)
+++ src/modules/dcc/requests.cpp (revision 4695)
@@ -81,7 +81,8 @@
if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes))
{
QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText);
- dcc_module_reply_errmsg(dcc,szError);
+ //since szError contains an user-suppplied string, we simplify it to avoid any kind of injection (bug #858)
+ dcc_module_reply_errmsg(dcc,szError.simplifyWhiteSpace());
}
}
Index: src/kvirc/sparser/kvi_sp_ctcp.cpp
===================================================================
--- src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4694)
+++ src/kvirc/sparser/kvi_sp_ctcp.cpp (revision 4695)
@@ -636,7 +636,7 @@
}
-const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks, bool bSafeOnly)
{
//
// This one extracts the "next" ctcp parameter in msg_ptr
@@ -668,17 +668,20 @@
{
case '\\':
// backslash : escape sequence
- if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
- msg_ptr++;
- if(*msg_ptr)
- {
- // decode the escape
- msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
- begin = msg_ptr;
+ if(bSafeOnly)msg_ptr++;
+ else {
+ if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
+ msg_ptr++;
+ if(*msg_ptr)
+ {
+ // decode the escape
+ msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ begin = msg_ptr;
+ }
+ // else it is a senseless trailing backslash.
+ // Just ignore and let the function
+ // return spontaneously.
}
- // else it is a senseless trailing backslash.
- // Just ignore and let the function
- // return spontaneously.
break;
case ' ':
// space : separate tokens if not in string
@@ -693,7 +696,7 @@
}
break;
case '"':
- if(bInString)
+ if(bInString && !bSafeOnly)
{
// A string terminator. We don't return
// immediately since if !bSpaceBreaks
@@ -721,7 +724,7 @@
return msg_ptr;
}
-const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks, bool bSafeOnly)
{
//
// This one extracts the "next" ctcp parameter in p_msg_ptr
@@ -753,15 +756,18 @@
{
case '\\':
// backslash : escape sequence
- msg_ptr++;
- if(*msg_ptr)
- {
- // decode the escape
- msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ if(bSafeOnly)msg_ptr++;
+ else {
+ msg_ptr++;
+ if(*msg_ptr)
+ {
+ // decode the escape
+ msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+ }
+ // else it is a senseless trailing backslash.
+ // Just ignore and let the function
+ // return spontaneously.
}
- // else it is a senseless trailing backslash.
- // Just ignore and let the function
- // return spontaneously.
break;
case ' ':
// space : separate tokens if not in string
@@ -779,7 +785,7 @@
}
break;
case '"':
- if(bInString)
+ if(bInString && !bSafeOnly)
{
// A string terminator. We don't return
// immediately since if !bSpaceBreaks
@@ -1709,7 +1715,7 @@
{
KviDccRequest p;
KviStr aux = msg->pData;
- msg->pData = extractCtcpParameter(msg->pData,p.szType);
+ msg->pData = extractCtcpParameter(msg->pData,p.szType, true, true);
msg->pData = extractCtcpParameter(msg->pData,p.szParam1);
msg->pData = extractCtcpParameter(msg->pData,p.szParam2);
msg->pData = extractCtcpParameter(msg->pData,p.szParam3);
Index: src/kvirc/sparser/kvi_sparser.h
===================================================================
--- src/kvirc/sparser/kvi_sparser.h (revision 4694)
+++ src/kvirc/sparser/kvi_sparser.h (revision 4695)
@@ -256,8 +256,8 @@
static void encodeCtcpParameter(const char * param,QString &buffer,bool bSpaceBreaks = true);
static const char * decodeCtcpEscape(const char * msg_ptr,KviStr &buffer);
static const char * decodeCtcpEscape(const char * msg_ptr,KviQCString &buffer);
- static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true);
- static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true);
+ static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
+ static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
};
#ifndef _KVI_SPARSER_CPP_
Property changes on: .
___________________________________________________________________
Added: svn:mergeinfo
Merged /trunk/kvirc:r4693
