1.42b: Fix to SQL injection detection with empty parameters.

2010-06-29 10:06:30 -04:00 · 2010-06-29 10:06:30 -04:00 · d0ce4e0db9
parent d4b1cd630e
commit d0ce4e0db9
3 changed files with 7 additions and 2 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Version 1.42b:
+--------------
+
+  - Fix to SQL injection detection with empty parameters.
+
 Version 1.41b:
 --------------

--- a/config.h
+++ b/config.h
@ -23,7 +23,7 @@
 #ifndef _HAVE_CONFIG_H
 #define _HAVE_CONFIG_H

-#define VERSION "1.41b"
+#define VERSION "1.42b"

 #define USE_COLOR               1       /* Use terminal colors             */

--- a/crawler.c
+++ b/crawler.c
@ -1071,7 +1071,7 @@ schedule_next:
  if (orig_state != PSTATE_CHILD_INJECT) {
    u8* pstr = TPAR(RPREQ(req));
    u32 c = strspn((char*)pstr, "01234567890.+-");
-    if (!pstr[c]) is_num = 1;
+    if (pstr[0] && !pstr[c]) is_num = 1;
  }

  n = req_copy(RPREQ(req), req->pivot, 1);