Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. No know vulnerabilities exist because of this. I'm just be paranoid. This enhancement is inspired by Drupalgeddon2. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
be5d83f93ac66f6553a874704dd2f6c4 |
User & Date: | drh 2018-03-29 15:16:16.544 |
Original Comment: | New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. |
References
2018-03-29
| ||
15:20 | Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names. ... (check-in: e09df6ea user: drh tags: trunk) | |
Context
2018-03-29
| ||
15:20 | Slight revision to [be5d83f93ac66f65] to allow "_" in parameter names. ... (check-in: e09df6ea user: drh tags: trunk) | |
15:16 | New security feature: Reject any query parameter, POST parameter, or cookie whose name contains a non-alphanumeric character. No know vulnerabilities exist because of this. I'm just be paranoid. This enhancement is inspired by Drupalgeddon2. ... (check-in: be5d83f9 user: drh tags: trunk) | |
2018-03-28
| ||
18:38 | Update the built-in SQLite to the first 3.23.0 beta. ... (check-in: d470fc70 user: drh tags: trunk) | |
Changes
Changes to src/blob.c.
︙ | ︙ | |||
112 113 114 115 116 117 118 119 120 121 122 123 124 125 | } int fossil_isalpha(char c){ return (c>='a' && c<='z') || (c>='A' && c<='Z'); } int fossil_isalnum(char c){ return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9'); } /* ** COMMAND: test-isspace ** ** Verify that the fossil_isspace() routine is working correctly by ** testing it on all possible inputs. | > > > > > > > > | 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 | } int fossil_isalpha(char c){ return (c>='a' && c<='z') || (c>='A' && c<='Z'); } int fossil_isalnum(char c){ return (c>='a' && c<='z') || (c>='A' && c<='Z') || (c>='0' && c<='9'); } /* Return true if and only if the entire string consists of only ** alphanumeric characters. */ int fossil_all_alnum(const char *z){ while( z && fossil_isalnum(z[0]) ) z++; return z[0]==0; } /* ** COMMAND: test-isspace ** ** Verify that the fossil_isspace() routine is working correctly by ** testing it on all possible inputs. |
︙ | ︙ |
Changes to src/cgi.c.
︙ | ︙ | |||
583 584 585 586 587 588 589 | z++; } dehttpize(zValue); }else{ if( *z ){ *z++ = 0; } zValue = ""; } | | | 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 | z++; } dehttpize(zValue); }else{ if( *z ){ *z++ = 0; } zValue = ""; } if( fossil_islower(zName[0]) && fossil_all_alnum(zName+1) ){ cgi_set_parameter_nocopy(zName, zValue, isQP); } #ifdef FOSSIL_ENABLE_JSON json_setenv( zName, cson_value_new_string(zValue,strlen(zValue)) ); #endif /* FOSSIL_ENABLE_JSON */ } } |
︙ | ︙ |