File kvirc-ctcp_vul.diff of Package kvirc

Overview Repositories Revisions Requests Users Attributes Meta

File kvirc-ctcp_vul.diff of Package kvirc

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 4696)
+++ ChangeLog	(revision 4697)
@@ -1,5 +1,13 @@
-May 2007 - August 2008
+Jul 2010
+   [CtrlAltCa]
+   - backported fix for #858
+
+Jun 2010
    [KVIrc Development Team]
+   - Since KVIrc 4 is out now, development on the 3.x branch is deprecated. Only fixes for big security issues are going to be backported.
+
+May 2007 - Jun 2010
+   [KVIrc Development Team]
    - A lot of changes documented in the svn log. See http://svn.kvirc.de/kvirc/ for the timeline.
 
 02 May 2007
Index: src/modules/dcc/requests.cpp
===================================================================
--- src/modules/dcc/requests.cpp	(revision 4694)
+++ src/modules/dcc/requests.cpp	(revision 4695)
@@ -81,7 +81,8 @@
 	if(KVI_OPTION_BOOL(KviOption_boolNotifyFailedDccHandshakes))
 	{
 		QString szError = QString("Sorry, your DCC %1 request can't be satisfied: %2").arg(dcc->szType.ptr(), errText);
-		dcc_module_reply_errmsg(dcc,szError);
+		//since szError contains an user-suppplied string, we simplify it to avoid any kind of injection (bug #858)
+		dcc_module_reply_errmsg(dcc,szError.simplifyWhiteSpace());
 	}
 }
 
Index: src/kvirc/sparser/kvi_sp_ctcp.cpp
===================================================================
--- src/kvirc/sparser/kvi_sp_ctcp.cpp	(revision 4694)
+++ src/kvirc/sparser/kvi_sp_ctcp.cpp	(revision 4695)
@@ -636,7 +636,7 @@
 }
 
 
-const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks, bool bSafeOnly)
 {
 	//
 	// This one extracts the "next" ctcp parameter in msg_ptr
@@ -668,17 +668,20 @@
 		{
 			case '\\':
 				// backslash : escape sequence
-				if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
-				msg_ptr++;
-				if(*msg_ptr)
-				{
-					// decode the escape
-					msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
-					begin = msg_ptr;
+				if(bSafeOnly)msg_ptr++;
+				else {
+					if(msg_ptr != begin)buffer.append(begin,msg_ptr - begin);
+					msg_ptr++;
+					if(*msg_ptr)
+					{
+						// decode the escape
+						msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+						begin = msg_ptr;
+					}
+					// else it is a senseless trailing backslash.
+					// Just ignore and let the function
+					// return spontaneously.
 				}
-				// else it is a senseless trailing backslash.
-				// Just ignore and let the function
-				// return spontaneously.
 			break;
 			case ' ':
 				// space : separate tokens if not in string
@@ -693,7 +696,7 @@
 				}
 			break;
 			case '"':
-				if(bInString)
+				if(bInString && !bSafeOnly)
 				{
 					// A string terminator. We don't return
 					// immediately since if !bSpaceBreaks
@@ -721,7 +724,7 @@
 	return msg_ptr;
 }
 
-const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks)
+const char * KviServerParser::extractCtcpParameter(const char * p_msg_ptr,QString &resultBuffer,bool bSpaceBreaks, bool bSafeOnly)
 {
 	//
 	// This one extracts the "next" ctcp parameter in p_msg_ptr
@@ -753,15 +756,18 @@
 		{
 			case '\\':
 				// backslash : escape sequence
-				msg_ptr++;
-				if(*msg_ptr)
-				{
-					// decode the escape
-					msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+				if(bSafeOnly)msg_ptr++;
+				else {
+					msg_ptr++;
+					if(*msg_ptr)
+					{
+						// decode the escape
+						msg_ptr = decodeCtcpEscape(msg_ptr,buffer);
+					}
+					// else it is a senseless trailing backslash.
+					// Just ignore and let the function
+					// return spontaneously.
 				}
-				// else it is a senseless trailing backslash.
-				// Just ignore and let the function
-				// return spontaneously.
 			break;
 			case ' ':
 				// space : separate tokens if not in string
@@ -779,7 +785,7 @@
 				}
 			break;
 			case '"':
-				if(bInString)
+				if(bInString && !bSafeOnly)
 				{
 					// A string terminator. We don't return
 					// immediately since if !bSpaceBreaks
@@ -1709,7 +1715,7 @@
 {
 	KviDccRequest p;
 	KviStr aux    = msg->pData;
-	msg->pData    = extractCtcpParameter(msg->pData,p.szType);
+	msg->pData    = extractCtcpParameter(msg->pData,p.szType, true, true);
 	msg->pData    = extractCtcpParameter(msg->pData,p.szParam1);
 	msg->pData    = extractCtcpParameter(msg->pData,p.szParam2);
 	msg->pData    = extractCtcpParameter(msg->pData,p.szParam3);
Index: src/kvirc/sparser/kvi_sparser.h
===================================================================
--- src/kvirc/sparser/kvi_sparser.h	(revision 4694)
+++ src/kvirc/sparser/kvi_sparser.h	(revision 4695)
@@ -256,8 +256,8 @@
 	static void encodeCtcpParameter(const char * param,QString &buffer,bool bSpaceBreaks = true);
 	static const char * decodeCtcpEscape(const char * msg_ptr,KviStr &buffer);
 	static const char * decodeCtcpEscape(const char * msg_ptr,KviQCString &buffer);
-	static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true);
-	static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true);
+	static const char * extractCtcpParameter(const char * msg_ptr,KviStr &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
+	static const char * extractCtcpParameter(const char * msg_ptr,QString &buffer,bool bSpaceBreaks = true, bool bSafeOnly=false);
 };
 
 #ifndef _KVI_SPARSER_CPP_

Property changes on: .
___________________________________________________________________
Added: svn:mergeinfo
   Merged /trunk/kvirc:r4693

Places

File kvirc-ctcp_vul.diff of Package kvirc

Places