Fossil

Check-in [be5d83f9]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. No know vulnerabilities exist because of this. I'm just be paranoid. This enhancement is inspired by Drupalgeddon2.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: be5d83f93ac66f6553a874704dd2f6c439cf6aa7b78f29d0fa591177399ca233
User & Date: drh 2018-03-29 15:16:16.544
Original Comment: New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character.
References
2018-03-29
15:20
Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names. ... (check-in: e09df6ea user: drh tags: trunk)
Context
2018-03-29
15:20
Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names. ... (check-in: e09df6ea user: drh tags: trunk)
15:16
New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. No know vulnerabilities exist because of this. I'm just be paranoid. This enhancement is inspired by Drupalgeddon2. ... (check-in: be5d83f9 user: drh tags: trunk)
2018-03-28
18:38
Update the built-in SQLite to the first 3.23.0 beta. ... (check-in: d470fc70 user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/blob.c.
112
113
114
115
116
117
118








119
120
121
122
123
124
125
}
int fossil_isalpha(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z');
}
int fossil_isalnum(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9');
}










/*
** COMMAND: test-isspace
**
** Verify that the fossil_isspace() routine is working correctly by
** testing it on all possible inputs.







>
>
>
>
>
>
>
>







112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
}
int fossil_isalpha(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z');
}
int fossil_isalnum(char c){
  return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9');
}

/* Return true if and only if the entire string consists of only
** alphanumeric characters.
*/
int fossil_all_alnum(const char *z){
  while( z && fossil_isalnum(z[0]) ) z++;
  return z[0]==0;
}


/*
** COMMAND: test-isspace
**
** Verify that the fossil_isspace() routine is working correctly by
** testing it on all possible inputs.
Changes to src/cgi.c.
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
        z++;
      }
      dehttpize(zValue);
    }else{
      if( *z ){ *z++ = 0; }
      zValue = "";
    }
    if( fossil_islower(zName[0]) ){
      cgi_set_parameter_nocopy(zName, zValue, isQP);
    }
#ifdef FOSSIL_ENABLE_JSON
    json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) );
#endif /* FOSSIL_ENABLE_JSON */
  }
}







|







583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
        z++;
      }
      dehttpize(zValue);
    }else{
      if( *z ){ *z++ = 0; }
      zValue = "";
    }
    if( fossil_islower(zName[0]) && fossil_all_alnum(zName+1) ){
      cgi_set_parameter_nocopy(zName, zValue, isQP);
    }
#ifdef FOSSIL_ENABLE_JSON
    json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) );
#endif /* FOSSIL_ENABLE_JSON */
  }
}