Re: parsing quoted-string HTTP header fields

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 26 May 2011 14:33:53 -0600

On 05/26/2011 10:20 AM, Amos Jeffries wrote:

> while (end <= (start+len) && *end != '\\' && *end != '\"' && *end > 0x1F && *end != 0x7F)
> end++;
> - if (*end <= 0x1F || *end == 0x7F) {
> + if ((*end <= 0x1F && *end != '\r') || *end == 0x7F) {
> debugs(66, 2, "failed to parse a quoted-string header field with CTL octet " << (start-pos)

> FYI:
> The while loop skips over as many safe octets as possible (excl. \") to
> optimize calls to append().
>
> The bool checks whether the octet which stopped that scan was important
> enough to abort.

but the scan may not be stopped by an octet! It may be stopped by us
running past the end of the string. And the new code checks for
different things in the loop and in the if-statement after it. This just
feels fishy.

Would the following be better?

  while (end <= (start+len) && *end != '\\' && *end != '\"' &&
!needsEscaping(*end)) ...
  if (end <= (start+len) && needsEscaping(*end))
      debugs(66, 2, HERE << "found unsafe unescaped character in
quoted-string...)

And why is 0x7F so special?

I wish I did not see that code :-).

Alex.
Received on Thu May 26 2011 - 20:34:26 MDT

This archive was generated by hypermail 2.2.0 : Fri May 27 2011 - 12:00:05 MDT