[7733] in bugtraq
Re: thttpd 2.04 released (fwd)
daemon@ATHENA.MIT.EDU (Olaf Seibert)
Thu Aug 20 15:06:24 1998
Date: Thu, 20 Aug 1998 12:39:31 +0200
Reply-To: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
From: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
X-To: jef@acme.com, marcs@ZNEP.COM
To: BUGTRAQ@NETSPACE.ORG
Marc Slemko <marcs@ZNEP.COM> forwarded this from Jef Poskanzer <jef@acme.com>:
> *** /tmp/,RCSt101alaP Mon Aug 10 19:09:49 1998
> --- libhttpd.c Mon Aug 10 19:09:31 1998
> ***************
> *** 975,980 ****
> --- 975,986 ----
> (void) strcpy( rest, path );
> if ( rest[restlen - 1] == '/' )
> rest[--restlen] = '\0'; /* trim trailing slash */
> + /* Remove any leading slashes. */
> + while ( rest[0] == '/' )
> + {
> + (void) strcpy( rest, &(rest[1]) );
> + --restlen;
> + }
> r = rest;
> nlinks = 0;
I'm afraid this is incorrect too but in a more subtle manner. You cannot
use strcpy to copy overlapping strings, as is done here. (Proving this from
the ISO C standard is left as an exercise for the reader).
Use memmove(rest, &rest[1], restlen+1-1) instead. (+1 to include the \0
terminator, -1 because we copy a string that's 1 character shorter than
rest.)
-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. ---- Unauthorized duplication,
\X/ .kun.nl ---- while sometimes necessary, is never as good as the real thing.
