1.46b: Security fix and cleanup

- Security: fixed a potential read past EOB in scrape_response() on
      zero-sized payloads. Credit to Jeff Johnson.
- Removed redundant fdopen() in dictionary management,

ChangeLog

@@ -1,3 +1,11 @@
+Version 1.46b:
+--------------
+
+  - Security: fixed a potential read past EOB in scrape_response() on
+    zero-sized payloads. Credit to Jeff Johnson.
+
+  - Removed redundant fdopen() in dictionary management,
+
 Version 1.45b:
 --------------
 

README

@@ -407,15 +407,18 @@ issues):
 $ ./skipfish -MEU -C "AuthCookie=value" -X /logout.aspx -o output_dir \
   http://www.example.com/
 
-Five-connection crawl, but no brute-force; pretending to be MSIE and caring 
-less about ambiguous MIME or character set mismatches:
+Five-connection crawl, but no brute-force; pretending to be MSIE, caring 
+less about ambiguous MIME or character set mismatches, and trusting
+example.com links:
 
-$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie http://www.example.com/
+$ ./skipfish -m 5 -LVJ -W /dev/null -o output_dir -b ie -B example.com \
+  http://www.example.com/
 
-Brute force only (no HTML link extraction), trusting links within example.com 
-and timing out after 5 seconds:
+Brute force only (no HTML link extraction), limited to a specific
+directory, timing out after 5 seconds:
 
-$ ./skipfish -B .example.com -O -o output_dir -t 5 http://www.example.com/
+$ ./skipfish -P -I http://www.example.com/dir1/ -O -o output_dir -t 5 \
+  http://www.example.com/dir1/
 
 For a short list of all command-line options, try ./skipfish -h.
 

analysis.c

@@ -839,7 +839,8 @@ next_tag:
 
     /* Skip to next tag. */
 
-    cur_str = (u8*)strchr((char*)tag_end + 1, '<');
+    if (*tag_end) cur_str = (u8*)strchr((char*)tag_end + 1, '<');
+      else cur_str = 0;
 
   } while (cur_str);
 
@@ -1894,7 +1895,7 @@ static void detect_mime(struct http_request* req, struct http_response* res) {
   memcpy(sniffbuf, res->payload,
          (res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len);
 
-  sniffbuf[SNIFF_LEN - 1] = 0;
+  sniffbuf[(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len] = 0;
 
   if (is_mostly_ascii(res)) {
 
@@ -2219,7 +2220,7 @@ static void check_for_stuff(struct http_request* req,
   memcpy(sniffbuf, res->payload,
          (res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len);
 
-  sniffbuf[SNIFF_LEN - 1] = 0;
+  sniffbuf[(res->pay_len > SNIFF_LEN - 1) ? (SNIFF_LEN - 1) : res->pay_len] = 0;
 
   res->stuff_checked = 1;
 

config.h

@@ -23,7 +23,7 @@
 #ifndef _HAVE_CONFIG_H
 #define _HAVE_CONFIG_H
 
-#define VERSION "1.45b"
+#define VERSION "1.46b"
 
 #define USE_COLOR               1       /* Use terminal colors             */
 

crawler.c

@@ -1141,9 +1141,6 @@ schedule_next:
   n->user_val = 7;
   async_request(n);
 
-
-
-
   /* TODO: We should probably also attempt cookie injection here. */
 
   return 0;

database.c

@@ -1069,14 +1069,12 @@ void save_keywords(u8* fname) {
 
   fd = open((char*)fname, O_WRONLY | O_CREAT | O_EXCL, 0644);
 
-  if (fd < 0 || !(out = fdopen(fd,"a"))) {
+  if (fd < 0 || !(out = fdopen(fd,"w"))) {
     WARN("Unable to save new wordlist to '%s'", fname);
     close(fd);
     return;
   }
 
-  out = fdopen(fd, "w");
-
   for (kh=0;kh<WORD_HASH;kh++)
     for (i=0;i<keyword_cnt[kh];i++)
       fprintf(out,"%c %u %u %u %s\n", keyword[kh][i].is_ext ? 'e' : 'w',

dictionaries/complete.wl

@@ -258,6 +258,7 @@ w 1 1 1 addressbook
 w 1 1 1 adm
 w 1 1 1 admin
 w 1 1 1 admin_
+w 1 1 1 admins
 w 1 1 1 adodb
 w 1 1 1 ads
 w 1 1 1 adv

dictionaries/default.wl

@@ -230,6 +230,7 @@ w 1 1 1 addressbook
 w 1 1 1 adm
 w 1 1 1 admin
 w 1 1 1 admin_
+w 1 1 1 admins
 w 1 1 1 adodb
 w 1 1 1 ads
 w 1 1 1 adv

dictionaries/minimal.wl

@@ -193,6 +193,7 @@ w 1 1 1 addressbook
 w 1 1 1 adm
 w 1 1 1 admin
 w 1 1 1 admin_
+w 1 1 1 admins
 w 1 1 1 adodb
 w 1 1 1 ads
 w 1 1 1 adv