1.22b - bugfix - URL parser now accounts for its own \.\ injection pattern.

2010-03-25 00:31:24 -04:00 · 2010-03-25 00:31:24 -04:00 · 942cb96f58
parent 50c87f0348
commit 942cb96f58
3 changed files with 7 additions and 7 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Version 1.21b:
+Version 1.22b:
 --------------

  - URL parser now accounts for its own \.\ injection pattern.
--- a/config.h
+++ b/config.h
@ -23,7 +23,7 @@
 #ifndef _HAVE_CONFIG_H
 #define _HAVE_CONFIG_H

-#define VERSION "1.21b"
+#define VERSION "1.22b"

 #define USE_COLOR               1       /* Use terminal colors             */

--- a/http_client.c
+++ b/http_client.c
@ -497,14 +497,14 @@ void tokenize_path(u8* str, struct http_request* req, u8 add_slash) {
         probes. This is to avoid recursion if it actually worked in some
         way. */

-      if (!strncmp((char*)cur, "\\.\\", 3) && (cur[3] == '/' || !cur[3])) {
-        cur += 3;
+      if (!strncmp((char*)cur, "/\\.\\", 4) && (cur[4] == '/' || !cur[4])) {
+        cur += 4;
        continue;
      }

-      if (!strncasecmp((char*)cur, "%5c.%5c", 7) &&
-          (cur[7] == '/' || !cur[7])) {
-        cur += 7;
+      if (!strncasecmp((char*)cur, "/%5c.%5c", 8) &&
+          (cur[8] == '/' || !cur[8])) {
+        cur += 8;
        continue;
      }