Message ID | 20240913101640.574828-1-stefano.babic@swupdate.org |
---|---|
State | Accepted |
Headers | show
Return-Path: <swupdate+bncBD2ZDGN6SEKRBDNCSC3QMGQEUBXXTJI@googlegroups.com> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20230601 header.b=IsUzDrG4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::440; helo=mail-wr1-x440.google.com; envelope-from=swupdate+bncbd2zdgn6sekrbdncsc3qmgqeubxxtji@googlegroups.com; receiver=patchwork.ozlabs.org) Received: from mail-wr1-x440.google.com (mail-wr1-x440.google.com [IPv6:2a00:1450:4864:20::440]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4X4qwh1P5hz1y1y for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 20:16:50 +1000 (AEST) Received: by mail-wr1-x440.google.com with SMTP id ffacd0b85a97d-374c301db60sf798610f8f.2 for <incoming@patchwork.ozlabs.org>; Fri, 13 Sep 2024 03:16:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1726222607; cv=pass; d=google.com; s=arc-20240605; b=b772RKytt7eShPSX5D4hOzm+Vo/yDPDgsGUVAfawcrQtlwCxSm6PhWJkECQxlcvug3 Gbrz36wWA5tgDd7E2ZJwOt392l95I6b+JiYmIpvECQsFwOV9CYoB/SMijD4ziU6XFlsF KGDvK6ggFKXPknxyC/5Dr+7Z0U7X48Fff6IaLsedQp2wA9M656XIpK6sXdqho5X8UZz4 0iAuUTDesFcJOurDKoIB+MoIE7H0QojiaZ6lnWHlnmrd1SflIM6IJDfRbM2ghTP4Jg6Y sMudbx3ahY/rG8Ra18/vSrqXU57roGLsFB082/CxVbptFDoXiUbgLC62G314fqpgotC6 jINQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:ui-outboundreport:mime-version :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=; fh=o3AO3AA/33ZB1kszuSw8+Ay+X6klV6wul8ByIyHWoyk=; b=Vp1tkXES85dz3OLdXSWtlBkvL/Bkxkw03Rk86XB42vpyVzh7LVCPDFs5rAsu8YuKPA dpLGLtW+BgpFsHr0m8xy7IOJgTprSD+uoNCSPQJyyYxAKWjCm7ytHayQLpz2Cg9+sbdR 7QHT3qaz1HW7xcszT/uFIvMBgIqBwZ3D0v/Qn4i/lcd5xLMA4yMKlifhXVrMMk/iw1qh fZehxZ/o1OoWBW+RTRHFoeA6xNLH6p2iKomhFvqeXYAsvO3bMl9GlUICf39DExWgmy9t 0QaR8ptzpNvKxOwfYtVh78+fGAAsu/gYraqZBBN8iEypzJ9ZEp8AxGCD8dQVK9HKVbbV nBZg==; darn=patchwork.ozlabs.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz; spf=pass (google.com: domain of stefano.babic@swupdate.org designates 212.227.126.135 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1726222607; x=1726827407; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:ui-outboundreport:mime-version:message-id:date :subject:cc:to:from:sender:from:to:cc:subject:date:message-id :reply-to; bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=; b=IsUzDrG4ydIpslrxpkjgAdQGHGYn6jB2u41UfoJM8iLwmIEQQNWKxIToc7qqRMKTMS Axl0/p+XR9s0gnXIPmGCsarYa3GBUKKg31wKFNaYiV12GQAxUDcl7iTjWropaWFLyW5j moej5B5xBnjSDquw/3mKdcxNWOETYzKGuB0GwY7gmMdSK+wJcrujm3VSYrqdrRJTYx+a wnpLAh3fMKZ7SKqAGf8snCn94AHOCLH2QG1+98aEpCQxi0XhId9sf54XG2V7F3OFsPsQ SplXenxMUlP1sAutyQXU+fr3ubZaBWJkPgAYJeO2RliahpIzN6XwAWJMc5aSpFZQwkKj Bzvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726222607; x=1726827407; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender :ui-outboundreport:mime-version:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=dsaKomSvffqE15n52DYPw+SHOaKVhy5faxsqmOVyHQw=; b=HyBMkLwnESjXxQNo2S4Bw4w7eaYxT9R6HYIrJpaE67+rjTnl8GNXhSsjxig3t6NBQe 2xIIW4b2uRD/2NcfgtM7a2toMqKFlzrEah4CbNMWXq2m2e/Ge3lgQM6b7EzAJsi9x5KN PY8aSStSjT/Ndd94whshoGeSDee6ANgyG4FmMpWzLQMHLZJ6yWCvcStSBPzY0Vov5H4g n+1N7sCf76n8q9Qabh4dkfMvodZAjErzBU5/XXu/c8Evy12pRbYu+qhQVETlu9DtPyFG ZHt3ej6dZgBrRunRdPlTGo9znDkk4Gi7BT39uLcrZ5iPcpZb4Sv+7loI74VXNEkrnWWr cAqg== Sender: swupdate@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUe8TgSG7pynrV2uSXup6Gfy/hZVPq1FnsiUslI4894Vt2ljnpC7EqWEUdS8XWyCVCNN1VJG3Tx/g==@patchwork.ozlabs.org X-Gm-Message-State: AOJu0Yzx+7a7fGDT1uqlehEpCvgyGDzoQ1xpsxoJjSK3gPrpI9jMyyNL +0YSUOyAWJIrydOeOyg6Cd6YsDyTxkKrf2BvNwF0UUiQYjwMZA5u X-Google-Smtp-Source: AGHT+IFNBIoaGufzKmo3QYCaicmJg2THf3H7yEOX8ZO/ZwtGMumkso/UJSyavEonFTF0uCYV/VbLmw== X-Received: by 2002:adf:e5c7:0:b0:378:80c8:57a with SMTP id ffacd0b85a97d-378c2cd582emr3186182f8f.9.1726222606573; Fri, 13 Sep 2024 03:16:46 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a05:600c:1c1f:b0:42c:ad31:3851 with SMTP id 5b1f17b1804b1-42cdb393f54ls9114165e9.0.-pod-prod-08-eu; Fri, 13 Sep 2024 03:16:43 -0700 (PDT) X-Received: by 2002:a05:600c:3b99:b0:426:8884:2c58 with SMTP id 5b1f17b1804b1-42cdb4fbb08mr40566695e9.4.1726222603264; Fri, 13 Sep 2024 03:16:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726222603; cv=none; d=google.com; s=arc-20240605; b=cfdZCNJHsLxYIRYMXqHm2xVpUZs0M9EvE4ZMBqD1hT1/U5Kv/Flxo7fFnpfeUDPna/ fZ1CmLjqAM2Dj9jHodOuAKjv3bQ2BsWkRnKZ8SUrjJt5RIvDR6AVSMlGH7zSRU/SR8YC hJBNeynunEJwd+xI7xFQ3DiT6P5NbMGZZSoGQ3+KrCHZkJX8OiQmGcwR/RVv9ANiwLiE tbInMCEG/qdyUppkB4fDIGr/gVTRMnUQWN7wWjgSXjNIimbrBTc+AuEkARBY5uIEzbrt mIqnF7Tf6eb9DY3B1bvDGbuT6vRpAh8OiQQOur2q225Xsug4EleWYWlGPDfuQM2Yjg5q rHvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=ui-outboundreport:content-transfer-encoding:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=GxxFBZ4jLhqfpRjh+YPKJ9Wjehw5Mey7zLKNzbjtbb0=; fh=TiEWcqMcKpHk5s7uErzpntoONrNfOXwKpI5P8bIlggk=; b=lzbpxVyF8JtjUVCmUiEb/jUK9tZv+ScUUHg3YD8pyMh8yXDFFZ9uIqrVpEhlneJNi+ lEfm4JaxtBcJkc5P8CU++SBx5fzjZGD9hg9dPqnvwfs0/W46C7hY2blaFK4F2UH1MheO 71Qtx+q+vTwbw8QJRmvdwjRHM7OmHaoqRY80w2+rB+9p7U/gDLapmdc0L+uowECrApI6 3GUjjXA6swvuMEeOAthFuXo3L/461SeMroklK+gRfDCJS8kw5hH69u06gZt6a83vuhz+ 54VFlxfqHd+hC+zpt4GCNygSPI3ubk7tcaNilFlInp5XQTwlaKVjd/dKKKV1LcZ+We+X k1Mg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz; spf=pass (google.com: domain of stefano.babic@swupdate.org designates 212.227.126.135 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org Received: from mout.kundenserver.de (mout.kundenserver.de. [212.227.126.135]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-42cc1373098si5074115e9.1.2024.09.13.03.16.43 for <swupdate@googlegroups.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Sep 2024 03:16:43 -0700 (PDT) Received-SPF: pass (google.com: domain of stefano.babic@swupdate.org designates 212.227.126.135 as permitted sender) client-ip=212.227.126.135; X-UI-Sender-Class: 55c96926-9e95-11ee-ae09-1f7a4046a0f6 Received: from paperino.fritz.box ([88.217.136.221]) by mrelayeu.kundenserver.de (mreue010 [213.165.67.97]) with ESMTPSA (Nemesis) id 1MzQwa-1s2qWQ2kPQ-00yon8; Fri, 13 Sep 2024 12:16:42 +0200 From: Stefano Babic <stefano.babic@swupdate.org> To: swupdate@googlegroups.com Cc: Stefano Babic <stefano.babic@swupdate.org> Subject: [swupdate] [PATCH] BUG: Webserver: SWUPdate crashes with malformed form Date: Fri, 13 Sep 2024 12:16:40 +0200 Message-Id: <20240913101640.574828-1-stefano.babic@swupdate.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:PLrCJ7s5hq5ol8ecRrICqHvMQXyB5vcBSVD6MK3RCnZgVHd781B DL5kLWx2ZrK5WAoVd8axvWkTogq99Jk0Ab9Yd3e9PKXhyd4J9WvoG8KkN80IurMaWyAW2fq dn6zzQduIEn/FuA9+JVMoiel3V6+fqGUs+LPfCIc4LeCKem8qIzh9H9g0SH/jaZ2CV8IP3D I/dqXgIj8d5WkWf69HUBQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:lhOsdDhJNtg=;h3RWrNVWNgjNJsza1xfA1BOKEOF QuiiNDwXC7F8nr4i1bJKlg+5yQdS9e9Q8M8KI/0bB/nimR90EzY22Zwrb/Bl12nBm7tGiCGi1 +QVzjdGS8ZpviJUVqic1IA9+kheQ5htL7X3jRZ9rTGMFBFE++IZkYZMBTzq4GVaiT5BC09sN1 ALStYaRbZofc1UY33be7yFXitLJin59kGREZUwrM26jCmtqNhMQ9n/BiQ3RpVdkmKO31lzusY lpkSh+itazA1q8fa+Al+1mFWh/tEgtC260reT49FjcnLLE7VI90YyDAQAg7QXce5JZnMatFld tx64efaTqII8D8p2XEz6DMA2P5v/J5l08KSX6o6ETAo+zcBz2OVTczWx/QahllUGpJKnJu15e 2y6oWSfV/PsGoLjcJ5pjrxCxUKsUPWsAnkiMxmvhjIFhQjkSsyNkkZHCwcJk0z/kyHZq/iuuq /kj60eSPt4ioJjyzDyjM1ObHJw+fkzMaJAXkP+Tn0OS0aF0r0FATHOYl7hnv+tuZ6k9K6HhqJ 3fg+iBdsoGO3jeWbO0hAXwlcMGaT3Lp8DUI0gWRfEwmmXsxrvHWWf3UTMJHJdWtJmBOOSMCj4 x/4sr4l3ObJti6ElvcHeoAwjBSe7MkQtHaDdFCJmEI8znrHPFmbMyOKvesVOmiLBIIccV55o9 /rVzZyibDJVmuL2v9Q3RKfFL4jTVbcLDlvrNfVn6dFDWbxHAZ3Tg0JZN7oXGs9hIoQEa2SPNl 8TUUDnv2GlHbIUdA+IakHQUUyiUn2+fNQ== X-Original-Sender: stefano.babic@swupdate.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@swupdate.org header.s=s1-ionos header.b=XmUVPAOz; spf=pass (google.com: domain of stefano.babic@swupdate.org designates 212.227.126.135 as permitted sender) smtp.mailfrom=stefano.babic@swupdate.org Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: <swupdate.googlegroups.com> X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: <https://groups.google.com/group/swupdate/post>, <mailto:swupdate@googlegroups.com> List-Help: <https://groups.google.com/support/>, <mailto:swupdate+help@googlegroups.com> List-Archive: <https://groups.google.com/group/swupdate List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>, <mailto:swupdate+subscribe@googlegroups.com> List-Unsubscribe: <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>, <https://groups.google.com/group/swupdate/subscribe> |
Series |
BUG: Webserver: SWUPdate crashes with malformed form
|
expand
|
diff --git a/mongoose/mongoose_interface.c b/mongoose/mongoose_interface.c index 0185e593..1d636cdf 100644 --- a/mongoose/mongoose_interface.c +++ b/mongoose/mongoose_interface.c @@ -572,7 +572,11 @@ static void upload_handler(struct mg_connection *nc, int ev, void *ev_data) break; } fus->c = nc; - + if (!mp->part.filename.buf) { + mg_http_reply(nc, 400, "", "%s", "filename not set in form\n"); + nc->is_draining = 1; + break; + } struct swupdate_request req; swupdate_prepare_req(&req); req.len = mp->len;
Posting a SWU without setting 'filename' in the form crashes the Webserver. Add the check and return an error. Signed-off-by: Stefano Babic <stefano.babic@swupdate.org> --- mongoose/mongoose_interface.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- 2.34.1