1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Reject packet with malformed range field instead of raising assert.
This fixes CVE-2020-36420 and makes polipo conformant to RFC7233.
--- a/server.c 2014-05-15 02:19:43.000000000 +0400
+++ b/server.c 2021-08-11 13:42:55.156568391 +0300
@@ -1468,7 +1468,6 @@
int port;
int x, y, z;
- assert(from >= 0 && (to < 0 || to > from));
assert(closure == NULL);
assert(!(object->flags & OBJECT_LOCAL));
assert(object->type == OBJECT_HTTP);
@@ -1499,6 +1498,13 @@
notifyObject(object);
return 1;
}
+
+ if(!(from >= 0 && (to < 0 || to > from))) {
+ do_log(L_ERROR, "Invalid Range field in the header: from=%d, to=%d.\n", from, to);
+ abortObject(object, 400, internAtom("Invalid range header field"));
+ notifyObject(object);
+ return 1;
+ }
memcpy(name, ((char*)object->key) + x, y - x);
name[y - x] = '\0';
|
