hrev47610 adds 3 changesets to branch 'master' old head: dcef881fe6756028e3d026e0ccc7f7edbc44131c new head: f0245dc22552eb88a8ee73b2f76046f7eea5aedb overview: http://cgit.haiku-os.org/haiku/log/?qt=range&q=f0245dc+%5Edcef881 ---------------------------------------------------------------------------- eec7626: Safer URL decoding. Some URLs may use the % character for other purposes than URL-encoding (this is seen in some data URLs). Make sure we parse that properly, and avoid a possible out of bounds access if the percent char is near the end of the string. 6bd0ac9: Data URLs: parse the whole URL, not just the path. The RFC for Data URLs specifies a nonstandard format, and because of this it doesn't support queries and fragments. This allows the use of the # and ? characters in the URL data. We didn't handle this properly, which would lead to truncated data. f0245dc: Replace broken curl and ca_root_certificates * Remove unneeded path mashup in curl to find the ca_root_certificates and use the file in .self/data/ssl. This makes it possible to rename the package providing ca_root_certificates without everything exploding. * Use a certificate file in the format cURL expects, not Mozilla source file in NSS format. [ Adrien Destugues <pulkomandy@xxxxxxxxxxxxx> ] ---------------------------------------------------------------------------- 3 files changed, 30 insertions(+), 10 deletions(-) build/jam/repositories/HaikuPorts/x86_gcc2 | 6 +++--- src/kits/network/libnetapi/DataRequest.cpp | 10 +++++++++- src/kits/network/libnetapi/Url.cpp | 24 ++++++++++++++++++------ ############################################################################ Commit: eec762686b49d4850c3bdfa32c75faffe834c688 URL: http://cgit.haiku-os.org/haiku/commit/?id=eec7626 Author: Adrien Destugues <pulkomandy@xxxxxxxxxxxxx> Date: Wed Jul 30 13:51:13 2014 UTC Safer URL decoding. Some URLs may use the % character for other purposes than URL-encoding (this is seen in some data URLs). Make sure we parse that properly, and avoid a possible out of bounds access if the percent char is near the end of the string. ---------------------------------------------------------------------------- diff --git a/src/kits/network/libnetapi/Url.cpp b/src/kits/network/libnetapi/Url.cpp index 0acc611..868d6fc 100644 --- a/src/kits/network/libnetapi/Url.cpp +++ b/src/kits/network/libnetapi/Url.cpp @@ -1004,14 +1004,26 @@ BUrl::_DoUrlDecodeChunk(const BString& chunk, bool strict) for (int32 i = 0; i < chunk.Length(); i++) { if (chunk[i] == '+' && !strict) result << ' '; - else if (chunk[i] != '%') - result << chunk[i]; else { - char hexString[] = { chunk[i + 1], chunk[i + 2], 0 }; - result << (char)strtol(hexString, NULL, 16); + bool isEncoded = false; + char decoded = 0; + + if (chunk[i] == '%' && i < chunk.Length() - 2) + { + char hexString[] = { chunk[i + 1], chunk[i + 2], 0 }; + char* out = NULL; + decoded = (char)strtol(hexString, &out, 16); + if (out == hexString + 2) { + isEncoded = true; + i += 2; + } + } - i += 2; - } + if (isEncoded) + result << decoded; + else + result << chunk[i]; + } } return result; } ############################################################################ Commit: 6bd0ac94896d11bc915cd16b0104583a32e6f7e2 URL: http://cgit.haiku-os.org/haiku/commit/?id=6bd0ac9 Author: Adrien Destugues <pulkomandy@xxxxxxxxxxxxx> Date: Wed Jul 30 13:52:46 2014 UTC Data URLs: parse the whole URL, not just the path. The RFC for Data URLs specifies a nonstandard format, and because of this it doesn't support queries and fragments. This allows the use of the # and ? characters in the URL data. We didn't handle this properly, which would lead to truncated data. ---------------------------------------------------------------------------- diff --git a/src/kits/network/libnetapi/DataRequest.cpp b/src/kits/network/libnetapi/DataRequest.cpp index 40c8c25..c650c73 100644 --- a/src/kits/network/libnetapi/DataRequest.cpp +++ b/src/kits/network/libnetapi/DataRequest.cpp @@ -39,8 +39,16 @@ BDataRequest::_ProtocolLoop() ssize_t length; bool isBase64 = false; + // The RFC has examples where some characters are URL-Encoded. fUrl.UrlDecode(true); - BString data = fUrl.Path(); + + // The RFC says this uses a nonstandard scheme, so the path, query and + // fragment are a bit nonsensical. It would be nice to handle them, but + // some software (eg. WebKit) relies on data URIs with embedded "#" char + // in the data... + BString data = fUrl.UrlString(); + data.Remove(0, 5); // remove "data:" + int separatorPosition = data.FindFirst(','); if (fListener != NULL) ############################################################################ Revision: hrev47610 Commit: f0245dc22552eb88a8ee73b2f76046f7eea5aedb URL: http://cgit.haiku-os.org/haiku/commit/?id=f0245dc Author: Adrien Destugues <pulkomandy@xxxxxxxxxxxxx> Date: Fri Aug 1 07:31:58 2014 UTC Replace broken curl and ca_root_certificates * Remove unneeded path mashup in curl to find the ca_root_certificates and use the file in .self/data/ssl. This makes it possible to rename the package providing ca_root_certificates without everything exploding. * Use a certificate file in the format cURL expects, not Mozilla source file in NSS format. ---------------------------------------------------------------------------- diff --git a/build/jam/repositories/HaikuPorts/x86_gcc2 b/build/jam/repositories/HaikuPorts/x86_gcc2 index a99da06..124721b 100644 --- a/build/jam/repositories/HaikuPorts/x86_gcc2 +++ b/build/jam/repositories/HaikuPorts/x86_gcc2 @@ -4,7 +4,7 @@ RemotePackageRepository HaikuPorts : # architecture "any" packages be_book-2008_10_26-1 - ca_root_certificates-2014_04_08-1 + ca_root_certificates-2014_04_08-2 docbook_xml_dtd-4.5-1 docbook_xsl_stylesheets-1.78.1-1 openttd_gfx-0.4.7-1 @@ -46,8 +46,8 @@ RemotePackageRepository HaikuPorts cdrtools-3.01~a18-1 cdrtools_devel-3.01~a18-1 ctags-5.8-3 - curl-7.35.0-1 - curl_devel-7.35.0-1 + curl-7.37.0-2 + curl_devel-7.37.0-2 cvs-1.12.13.1-6 distcc-3.1-2 dmidecode-2.12-2