[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
http_long_ParseURL accepts invalid port numbers
Hi Scott,
I received an email from somebody who complained about
http_url_post_raw2() returning '1` for URLs that contain a bad port
number.
I debugged the problem and found out, that http_long_ParseURL() uses
atoi() to convert the port number from string to integer. Since atoi()
is pretty liberal, it also accepts string values with trailing (and
embedded) characters and hence sometimes (for trailing characters)
"fixes" problems under the cover.
On my opinion fixing errors like that under the cover is not a good
idea and hence I suggest to strengthen http_long_ParseURL() like this:
D NUMBERS c '0123456789'
...
C* the host name may also specify a port number:
c eval wwPos = %scan(':': peHost)
c if wwPos > 1 and wwPos < %size(peHost)
c eval wwTemp = %subst(peHost:wwPos+1)
c eval peHost = %subst(peHost:1:wwPos-1)
c if %check(NUMBERS: %trimr(wwTemp)) = 0
c eval pePort = atoi(%trimr(wwTemp))
c else
c callp SetError(HTTP_BADURL:'URL contains'+
c ' a bad port number!')
c return -1
c endif
c endif
I do not think that we also need to check for port number greater than
65535, because for that I expect to get a "standard" http error, such
as 504 (Gateway Timeout), that I get back from our proxy server.
Regards,
Thomas.
--
IMPORTANT NOTICE:
This email is confidential, may be legally privileged, and is for the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a
criminal offence. Please delete if obtained in error and email
confirmation to the sender.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------