| Message ID | 20240913101640.574828-1-stefano.babic@swupdate.org |
|---|---|
| State | Accepted |
| Headers | show
Return-Path: <swupdate+bncBD2ZDGN6SEKRBDNCSC3QMGQEUBXXTJI@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
dkim=pass (2048-bit key;
unprotected) header.d=googlegroups.com header.i=@googlegroups.com
header.a=rsa-sha256 header.s=20230601 header.b=IsUzDrG4;
dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
(client-ip=2a00:1450:4864:20::440; helo=mail-wr1-x440.google.com;
envelope-from=swupdate+bncbd2zdgn6sekrbdncsc3qmgqeubxxtji@googlegroups.com;
receiver=patchwork.ozlabs.org)
Received: from mail-wr1-x440.google.com (mail-wr1-x440.google.com
[IPv6:2a00:1450:4864:20::440])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
(No client certificate requested)
by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4qwh1P5hz1y1y
for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 20:16:50 +1000 (AEST)
Received: by mail-wr1-x440.google.com with SMTP id
ffacd0b85a97d-374c301db60sf798610f8f.2
for <incoming@patchwork.ozlabs.org>;
Fri, 13 Sep 2024 03:16:50 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1726222607; cv=pass;
d=google.com; s=arc-20240605;
b=b772RKytt7eShPSX5D4hOzm+Vo/yDPDgsGUVAfawcrQtlwCxSm6PhWJkECQxlcvug3
Gbrz36wWA5tgDd7E2ZJwOt392l95I6b+JiYmIpvECQsFwOV9CYoB/SMijD4ziU6XFlsF
KGDvK6ggFKXPknxyC/5Dr+7Z0U7X48Fff6IaLsedQp2wA9M656XIpK6sXdqho5X8UZz4
0iAuUTDesFcJOurDKoIB+MoIE7H0QojiaZ6lnWHlnmrd1SflIM6IJDfRbM2ghTP4Jg6Y
sMudbx3ahY/rG8Ra18/vSrqXU57roGLsFB082/CxVbptFDoXiUbgLC62G314fqpgotC6
jINQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:ui-outboundreport:mime-version
:message-id:date:subject:cc:to:from:sender:dkim-signature;
bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=;
fh=o3AO3AA/33ZB1kszuSw8+Ay+X6klV6wul8ByIyHWoyk=;
b=Vp1tkXES85dz3OLdXSWtlBkvL/Bkxkw03Rk86XB42vpyVzh7LVCPDFs5rAsu8YuKPA
dpLGLtW+BgpFsHr0m8xy7IOJgTprSD+uoNCSPQJyyYxAKWjCm7ytHayQLpz2Cg9+sbdR
7QHT3qaz1HW7xcszT/uFIvMBgIqBwZ3D0v/Qn4i/lcd5xLMA4yMKlifhXVrMMk/iw1qh
fZehxZ/o1OoWBW+RTRHFoeA6xNLH6p2iKomhFvqeXYAsvO3bMl9GlUICf39DExWgmy9t
0QaR8ptzpNvKxOwfYtVh78+fGAAsu/gYraqZBBN8iEypzJ9ZEp8AxGCD8dQVK9HKVbbV
nBZg==;
darn=patchwork.ozlabs.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz;
spf=pass (google.com: domain of stefano.babic@swupdate.org designates
212.227.126.135 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1726222607; x=1726827407;
darn=patchwork.ozlabs.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:ui-outboundreport:mime-version:message-id:date
:subject:cc:to:from:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=;
b=IsUzDrG4ydIpslrxpkjgAdQGHGYn6jB2u41UfoJM8iLwmIEQQNWKxIToc7qqRMKTMS
Axl0/p+XR9s0gnXIPmGCsarYa3GBUKKg31wKFNaYiV12GQAxUDcl7iTjWropaWFLyW5j
moej5B5xBnjSDquw/3mKdcxNWOETYzKGuB0GwY7gmMdSK+wJcrujm3VSYrqdrRJTYx+a
wnpLAh3fMKZ7SKqAGf8snCn94AHOCLH2QG1+98aEpCQxi0XhId9sf54XG2V7F3OFsPsQ
SplXenxMUlP1sAutyQXU+fr3ubZaBWJkPgAYJeO2RliahpIzN6XwAWJMc5aSpFZQwkKj
Bzvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1726222607; x=1726827407;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:x-spam-checked-in-group:list-id:mailing-list:precedence
:x-original-authentication-results:x-original-sender
:ui-outboundreport:mime-version:message-id:date:subject:cc:to:from
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=;
b=HyBMkLwnESjXxQNo2S4Bw4w7eaYxT9R6HYIrJpaE67+rjTnl8GNXhSsjxig3t6NBQe
2xIIW4b2uRD/2NcfgtM7a2toMqKFlzrEah4CbNMWXq2m2e/Ge3lgQM6b7EzAJsi9x5KN
PY8aSStSjT/Ndd94whshoGeSDee6ANgyG4FmMpWzLQMHLZJ6yWCvcStSBPzY0Vov5H4g
n+1N7sCf76n8q9Qabh4dkfMvodZAjErzBU5/XXu/c8Evy12pRbYu+qhQVETlu9DtPyFG
ZHt3ej6dZgBrRunRdPlTGo9znDkk4Gi7BT39uLcrZ5iPcpZb4Sv+7loI74VXNEkrnWWr
cAqg==
Sender: swupdate@googlegroups.com
X-Forwarded-Encrypted: i=2;
AJvYcCUe8TgSG7pynrV2uSXup6Gfy/hZVPq1FnsiUslI4894Vt2ljnpC7EqWEUdS8XWyCVCNN1VJG3Tx/g==@patchwork.ozlabs.org
X-Gm-Message-State: AOJu0Yzx+7a7fGDT1uqlehEpCvgyGDzoQ1xpsxoJjSK3gPrpI9jMyyNL
+0YSUOyAWJIrydOeOyg6Cd6YsDyTxkKrf2BvNwF0UUiQYjwMZA5u
X-Google-Smtp-Source:
AGHT+IFNBIoaGufzKmo3QYCaicmJg2THf3H7yEOX8ZO/ZwtGMumkso/UJSyavEonFTF0uCYV/VbLmw==
X-Received: by 2002:adf:e5c7:0:b0:378:80c8:57a with SMTP id
ffacd0b85a97d-378c2cd582emr3186182f8f.9.1726222606573;
Fri, 13 Sep 2024 03:16:46 -0700 (PDT)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a05:600c:1c1f:b0:42c:ad31:3851 with SMTP id
5b1f17b1804b1-42cdb393f54ls9114165e9.0.-pod-prod-08-eu; Fri, 13 Sep 2024
03:16:43 -0700 (PDT)
X-Received: by 2002:a05:600c:3b99:b0:426:8884:2c58 with SMTP id
5b1f17b1804b1-42cdb4fbb08mr40566695e9.4.1726222603264;
Fri, 13 Sep 2024 03:16:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726222603; cv=none;
d=google.com; s=arc-20240605;
b=cfdZCNJHsLxYIRYMXqHm2xVpUZs0M9EvE4ZMBqD1hT1/U5Kv/Flxo7fFnpfeUDPna/
fZ1CmLjqAM2Dj9jHodOuAKjv3bQ2BsWkRnKZ8SUrjJt5RIvDR6AVSMlGH7zSRU/SR8YC
hJBNeynunEJwd+xI7xFQ3DiT6P5NbMGZZSoGQ3+KrCHZkJX8OiQmGcwR/RVv9ANiwLiE
tbInMCEG/qdyUppkB4fDIGr/gVTRMnUQWN7wWjgSXjNIimbrBTc+AuEkARBY5uIEzbrt
mIqnF7Tf6eb9DY3B1bvDGbuT6vRpAh8OiQQOur2q225Xsug4EleWYWlGPDfuQM2Yjg5q
rHvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=ui-outboundreport:content-transfer-encoding:mime-version:message-id
:date:subject:cc:to:from:dkim-signature;
bh=GxxFBZ4jLhqfpRjh+YPKJ9Wjehw5Mey7zLKNzbjtbb0=;
fh=TiEWcqMcKpHk5s7uErzpntoONrNfOXwKpI5P8bIlggk=;
b=lzbpxVyF8JtjUVCmUiEb/jUK9tZv+ScUUHg3YD8pyMh8yXDFFZ9uIqrVpEhlneJNi+
lEfm4JaxtBcJkc5P8CU++SBx5fzjZGD9hg9dPqnvwfs0/W46C7hY2blaFK4F2UH1MheO
71Qtx+q+vTwbw8QJRmvdwjRHM7OmHaoqRY80w2+rB+9p7U/gDLapmdc0L+uowECrApI6
3GUjjXA6swvuMEeOAthFuXo3L/461SeMroklK+gRfDCJS8kw5hH69u06gZt6a83vuhz+
54VFlxfqHd+hC+zpt4GCNygSPI3ubk7tcaNilFlInp5XQTwlaKVjd/dKKKV1LcZ+We+X
k1Mg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz;
spf=pass (google.com: domain of stefano.babic@swupdate.org designates
212.227.126.135 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org
Received: from mout.kundenserver.de (mout.kundenserver.de. [212.227.126.135])
by gmr-mx.google.com with ESMTPS id
5b1f17b1804b1-42cc1373098si5074115e9.1.2024.09.13.03.16.43
for <swupdate@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 13 Sep 2024 03:16:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of stefano.babic@swupdate.org
designates 212.227.126.135 as permitted sender) client-ip=212.227.126.135;
X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6
Received: from paperino.fritz.box ([88.217.136.221]) by
mrelayeu.kundenserver.de (mreue010 [213.165.67.97]) with ESMTPSA (Nemesis) id
1MzQwa-1s2qWQ2kPQ-00yon8; Fri, 13 Sep 2024 12:16:42 +0200
From: Stefano Babic <stefano.babic@swupdate.org>
To: swupdate@googlegroups.com
Cc: Stefano Babic <stefano.babic@swupdate.org>
Subject: [swupdate] [PATCH] BUG: Webserver: SWUPdate crashes with malformed
form
Date: Fri, 13 Sep 2024 12:16:40 +0200
Message-Id: <20240913101640.574828-1-stefano.babic@swupdate.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Provags-ID: V03:K1:PLrCJ7s5hq5ol8ecRrICqHvMQXyB5vcBSVD6MK3RCnZgVHd781B
DL5kLWx2ZrK5WAoVd8axvWkTogq99Jk0Ab9Yd3e9PKXhyd4J9WvoG8KkN80IurMaWyAW2fq
dn6zzQduIEn/FuA9+JVMoiel3V6+fqGUs+LPfCIc4LeCKem8qIzh9H9g0SH/jaZ2CV8IP3D
I/dqXgIj8d5WkWf69HUBQ==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:lhOsdDhJNtg=;h3RWrNVWNgjNJsza1xfA1BOKEOF
QuiiNDwXC7F8nr4i1bJKlg+5yQdS9e9Q8M8KI/0bB/nimR90EzY22Zwrb/Bl12nBm7tGiCGi1
+QVzjdGS8ZpviJUVqic1IA9+kheQ5htL7X3jRZ9rTGMFBFE++IZkYZMBTzq4GVaiT5BC09sN1
ALStYaRbZofc1UY33be7yFXitLJin59kGREZUwrM26jCmtqNhMQ9n/BiQ3RpVdkmKO31lzusY
lpkSh+itazA1q8fa+Al+1mFWh/tEgtC260reT49FjcnLLE7VI90YyDAQAg7QXce5JZnMatFld
tx64efaTqII8D8p2XEz6DMA2P5v/J5l08KSX6o6ETAo+zcBz2OVTczWx/QahllUGpJKnJu15e
2y6oWSfV/PsGoLjcJ5pjrxCxUKsUPWsAnkiMxmvhjIFhQjkSsyNkkZHCwcJk0z/kyHZq/iuuq
/kj60eSPt4ioJjyzDyjM1ObHJw+fkzMaJAXkP+Tn0OS0aF0r0FATHOYl7hnv+tuZ6k9K6HhqJ
3fg+iBdsoGO3jeWbO0hAXwlcMGaT3Lp8DUI0gWRfEwmmXsxrvHWWf3UTMJHJdWtJmBOOSMCj4
x/4sr4l3ObJti6ElvcHeoAwjBSe7MkQtHaDdFCJmEI8znrHPFmbMyOKvesVOmiLBIIccV55o9
/rVzZyibDJVmuL2v9Q3RKfFL4jTVbcLDlvrNfVn6dFDWbxHAZ3Tg0JZN7oXGs9hIoQEa2SPNl
8TUUDnv2GlHbIUdA+IakHQUUyiUn2+fNQ==
X-Original-Sender: stefano.babic@swupdate.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz; spf=pass
(google.com: domain of stefano.babic@swupdate.org designates 212.227.126.135
as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
<mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
<mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
<mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe:
<mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/swupdate/subscribe>
|
| Series |
BUG: Webserver: SWUPdate crashes with malformed form
|
expand
|
diff --git a/mongoose/mongoose_interface.c b/mongoose/mongoose_interface.c index 0185e593..1d636cdf 100644 --- a/mongoose/mongoose_interface.c +++ b/mongoose/mongoose_interface.c @@ -572,7 +572,11 @@ static void upload_handler(struct mg_connection *nc, int ev, void *ev_data) break; } fus->c = nc; - + if (!mp->part.filename.buf) { + mg_http_reply(nc, 400, "", "%s", "filename not set in form\n"); + nc->is_draining = 1; + break; + } struct swupdate_request req; swupdate_prepare_req(&req); req.len = mp->len;
Posting a SWU without setting 'filename' in the form crashes the Webserver. Add the check and return an error. Signed-off-by: Stefano Babic <stefano.babic@swupdate.org> --- mongoose/mongoose_interface.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- 2.34.1