summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVincent Sanders <vince@kyllikki.org>2019-08-06 13:15:24 +0100
committerVincent Sanders <vince@kyllikki.org>2019-08-06 13:16:20 +0100
commit8cec045cb7b433a0c0fc8000ad6bd09f67aaa0c8 (patch)
treeeb551079c3c4e872b79ea3e8e30476f5caa824c3
parent1cf1ec55bc7647e737d7ec41bfe1def721269c02 (diff)
downloadnetsurf-8cec045cb7b433a0c0fc8000ad6bd09f67aaa0c8.tar.gz
netsurf-8cec045cb7b433a0c0fc8000ad6bd09f67aaa0c8.tar.bz2
Improve the about scheme query page generation be be bounds safe
-rw-r--r--content/fetchers/about.c196
-rw-r--r--resources/FatMessages1
2 files changed, 144 insertions, 53 deletions
diff --git a/content/fetchers/about.c b/content/fetchers/about.c
index b5b5743ce..0a92221f5 100644
--- a/content/fetchers/about.c
+++ b/content/fetchers/about.c
@@ -80,9 +80,11 @@ struct about_handlers {
bool hidden; /**< If entry should be hidden in listing */
};
-/** issue fetch callbacks with locking */
-static inline bool fetch_about_send_callback(const fetch_msg *msg,
- struct fetch_about_context *ctx)
+/**
+ * issue fetch callbacks with locking
+ */
+static inline bool
+fetch_about_send_callback(const fetch_msg *msg, struct fetch_about_context *ctx)
{
ctx->locked = true;
fetch_send_callback(msg, ctx->fetchh);
@@ -108,11 +110,39 @@ fetch_about_send_header(struct fetch_about_context *ctx, const char *fmt, ...)
msg.data.header_or_data.buf = (const uint8_t *) header;
msg.data.header_or_data.len = strlen(header);
- fetch_about_send_callback(&msg, ctx);
-
- return ctx->aborted;
+ return fetch_about_send_callback(&msg, ctx);
}
+/**
+ * send formatted data on a fetch
+ */
+static nserror ssenddataf(struct fetch_about_context *ctx, const char *fmt, ...)
+{
+ char buffer[1024];
+ fetch_msg msg;
+ va_list ap;
+ int slen;
+
+ va_start(ap, fmt);
+
+ slen = vsnprintf(buffer, sizeof(buffer), fmt, ap);
+
+ va_end(ap);
+
+ if (slen >= (int)sizeof(buffer)) {
+ return NSERROR_NOSPACE;
+ }
+
+ msg.type = FETCH_DATA;
+ msg.data.header_or_data.buf = (const uint8_t *) buffer;
+ msg.data.header_or_data.len = slen;
+
+ if (fetch_about_send_callback(&msg, ctx)) {
+ return NSERROR_INVALID;
+ }
+
+ return NSERROR_OK;
+}
@@ -623,7 +653,37 @@ static bool fetch_about_srverror(struct fetch_about_context *ctx)
/**
- * generate the description of the login request
+ * generate the description of the privacy query
+ */
+static nserror
+get_privacy_description(struct nsurl *url,
+ const char *reason,
+ char **out_str)
+{
+ nserror res;
+ char *url_s;
+ size_t url_l;
+ char *str = NULL;
+ const char *key = "PrivacyDescription";
+ res = nsurl_get(url, NSURL_SCHEME | NSURL_HOST, &url_s, &url_l);
+ if (res != NSERROR_OK) {
+ return res;
+ }
+
+ str = messages_get_buff(key, url_s, reason);
+
+ if ((str != NULL) && (strcmp(key, str) != 0)) {
+ *out_str = str;
+ } else {
+ *out_str = strdup(reason);
+ }
+ free(url_s);
+
+ return res;
+}
+
+/**
+ * generate the description of the login query
*/
static nserror
get_login_description(struct nsurl *url,
@@ -632,14 +692,14 @@ get_login_description(struct nsurl *url,
const char *password,
char **out_str)
{
+ nserror res;
char *url_s;
size_t url_l;
- nserror res;
char *str = NULL;
int slen;
const char *key;
- res = nsurl_get(url, NSURL_SCHEME | NSURL_HOST, &url_s, &url_l);
+ res = nsurl_get(url, NSURL_HOST, &url_s, &url_l);
if (res != NSERROR_OK) {
return res;
}
@@ -682,8 +742,6 @@ static bool fetch_about_query_auth_handler(struct fetch_about_context *ctx)
{
nserror res;
fetch_msg msg;
- char buffer[1024];
- int slen;
char *url_s;
size_t url_l;
const char *realm = "";
@@ -723,11 +781,10 @@ static bool fetch_about_query_auth_handler(struct fetch_about_context *ctx)
if (fetch_about_send_header(ctx, "Content-Type: text/html; charset=utf-8"))
goto fetch_about_query_auth_handler_aborted;
- msg.type = FETCH_DATA;
- msg.data.header_or_data.buf = (const uint8_t *) buffer;
title = messages_get("LoginTitle");
- slen = snprintf(buffer, sizeof buffer,
+
+ res = ssenddataf(ctx,
"<html>\n<head>\n"
"<title>%s</title>\n"
"<link rel=\"stylesheet\" type=\"text/css\" "
@@ -736,9 +793,17 @@ static bool fetch_about_query_auth_handler(struct fetch_about_context *ctx)
"<body id =\"authentication\">\n"
"<h1>%s</h1>\n",
title, title);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
+
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "<form method=\"post\" enctype=\"multipart/form-data\">");
+ res = ssenddataf(ctx,
+ "<form method=\"post\""
+ " enctype=\"multipart/form-data\">");
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
res = get_login_description(siteurl,
realm,
@@ -746,30 +811,36 @@ static bool fetch_about_query_auth_handler(struct fetch_about_context *ctx)
password,
&description);
if (res == NSERROR_OK) {
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "<p>%s</p>",
- description);
+ res = ssenddataf(ctx, "<p>%s</p>", description);
free(description);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
}
-
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<div>"
"<label for=\"name\">%s:</label>"
"<input type=\"text\" id=\"username\" "
"name=\"username\" value=\"%s\">"
"</div>",
messages_get("Username"), username);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<div>"
"<label for=\"password\">%s:</label>"
"<input type=\"password\" id=\"password\" "
"name=\"password\" value=\"%s\">"
"</div>",
messages_get("Password"), password);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<div id=\"buttons\">"
"<input type=\"submit\" id=\"cancel\" name=\"cancel\" "
"value=\"%s\">"
@@ -778,26 +849,33 @@ static bool fetch_about_query_auth_handler(struct fetch_about_context *ctx)
"</div>",
messages_get("Cancel"),
messages_get("Login"));
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
res = nsurl_get(siteurl, NSURL_COMPLETE, &url_s, &url_l);
if (res != NSERROR_OK) {
url_s = strdup("");
}
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<input type=\"hidden\" name=\"siteurl\" value=\"%s\">",
url_s);
free(url_s);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<input type=\"hidden\" name=\"realm\" value=\"%s\">",
realm);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_auth_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "</form></body>\n</html>\n");
-
- msg.data.header_or_data.len = slen;
- if (fetch_about_send_callback(&msg, ctx))
+ res = ssenddataf(ctx, "</form></body>\n</html>\n");
+ if (res != NSERROR_OK) {
goto fetch_about_query_auth_handler_aborted;
+ }
msg.type = FETCH_FINISHED;
fetch_about_send_callback(&msg, ctx);
@@ -814,19 +892,18 @@ fetch_about_query_auth_handler_aborted:
}
/**
- * Handler to generate about scheme ssl query page
+ * Handler to generate about scheme privacy query page
*/
-static bool fetch_about_query_ssl_handler(struct fetch_about_context *ctx)
+static bool fetch_about_query_privacy_handler(struct fetch_about_context *ctx)
{
nserror res;
fetch_msg msg;
- char buffer[1024];
- int slen;
char *url_s;
size_t url_l;
const char *reason = "";
const char *title;
struct nsurl *siteurl = NULL;
+ char *description = NULL;
const struct fetch_multipart_data *curmd; /* mutipart data iterator */
/* extract parameters from multipart post data */
@@ -851,14 +928,12 @@ static bool fetch_about_query_ssl_handler(struct fetch_about_context *ctx)
fetch_set_http_code(ctx->fetchh, 200);
/* content type */
- if (fetch_about_send_header(ctx, "Content-Type: text/html; charset=utf-8"))
+ if (fetch_about_send_header(ctx, "Content-Type: text/html; charset=utf-8")) {
goto fetch_about_query_ssl_handler_aborted;
-
- msg.type = FETCH_DATA;
- msg.data.header_or_data.buf = (const uint8_t *) buffer;
+ }
title = messages_get("PrivacyTitle");
- slen = snprintf(buffer, sizeof buffer,
+ res = ssenddataf(ctx,
"<html>\n<head>\n"
"<title>%s</title>\n"
"<link rel=\"stylesheet\" type=\"text/css\" "
@@ -867,16 +942,27 @@ static bool fetch_about_query_ssl_handler(struct fetch_about_context *ctx)
"<body id =\"privacy\">\n"
"<h1>%s</h1>\n",
title, title);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_ssl_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "<p>%s</p>",
- reason);
-
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "<form method=\"post\" enctype=\"multipart/form-data\">");
+ res = get_privacy_description(siteurl, reason, &description);
+ if (res == NSERROR_OK) {
+ res = ssenddataf(ctx, "<p>%s</p>", description);
+ free(description);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_ssl_handler_aborted;
+ }
+ }
+ res = ssenddataf(ctx,
+ "<form method=\"post\""
+ " enctype=\"multipart/form-data\">");
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_ssl_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<div>"
"<input type=\"submit\" id=\"back\" name=\"back\" "
"value=\"%s\">"
@@ -885,22 +971,26 @@ static bool fetch_about_query_ssl_handler(struct fetch_about_context *ctx)
"</div>",
messages_get("Backtosafety"),
messages_get("Proceed"));
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_ssl_handler_aborted;
+ }
res = nsurl_get(siteurl, NSURL_COMPLETE, &url_s, &url_l);
if (res != NSERROR_OK) {
url_s = strdup("");
}
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
+ res = ssenddataf(ctx,
"<input type=\"hidden\" name=\"siteurl\" value=\"%s\">",
url_s);
free(url_s);
+ if (res != NSERROR_OK) {
+ goto fetch_about_query_ssl_handler_aborted;
+ }
- slen += snprintf(buffer + slen, sizeof(buffer) - slen,
- "</form></body>\n</html>\n");
-
- msg.data.header_or_data.len = slen;
- if (fetch_about_send_callback(&msg, ctx))
+ res = ssenddataf(ctx, "</form></body>\n</html>\n");
+ if (res != NSERROR_OK) {
goto fetch_about_query_ssl_handler_aborted;
+ }
msg.type = FETCH_FINISHED;
fetch_about_send_callback(&msg, ctx);
@@ -1020,7 +1110,7 @@ struct about_handlers about_handler_list[] = {
"query/ssl",
SLEN("query/ssl"),
NULL,
- fetch_about_query_ssl_handler,
+ fetch_about_query_privacy_handler,
true
}
};
diff --git a/resources/FatMessages b/resources/FatMessages
index 3c6ca4893..487fe31f7 100644
--- a/resources/FatMessages
+++ b/resources/FatMessages
@@ -2784,6 +2784,7 @@ nl.all.Cancel:Annuleer
#
en.all.PrivacyTitle:Privacy error
+en.all.PrivacyDescription:Attackers might be trying to steal your information from %s (for example, passwords, messages or credit cards) %s
en.all.Proceed:Proceed
en.all.Backtosafety:Back to safety