Package: libproxy0
Version: 0.3.1-2ubuntu5
Severity: important
Tags: patch
libproxy0 contains a string parsing error in url.c:308 - when the URL
contains username and port, but no pass, the parsing fails with an
assertion failure in misc.c:39: px_malloc0. Patch to fix included.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-10-generic (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.utf8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libproxy0 depends on:
ii libc6 2.13-0ubuntu13 Embedded GNU C Library: Shared lib
libproxy0 recommends no packages.
Versions of packages libproxy0 suggests:
ii libwebkitgtk-1.0-0 1.3.13-0ubuntu2 Web content engine library for Gtk
-- no debconf information
diff -ur libproxy-0.3.1-old/src/lib/url.c libproxy-0.3.1/src/lib/url.c
--- libproxy-0.3.1-old/src/lib/url.c 2009-09-29 21:52:50.000000000 +0200
+++ libproxy-0.3.1/src/lib/url.c 2011-07-28 09:44:01.318668280 +0200
@@ -300,13 +300,20 @@
start += strlen(self->scheme) + 3;
/* If we have a username and password */
- if (strchr(start, '@') && (strchr(start, '/') > strchr(start, '@') || strchr(start, '/') == NULL))
+ char* atpos = strchr(start,'@');
+ char* slashpos = strchr(start,'/');
+ char* colpos = strchr(start,':');
+ if (atpos && (slashpos > atpos || slashpos == NULL))
{
- if (!strchr(start, ':')) goto error; // Can't find user/pass delimiter
- self->username = px_strndup(start, strchr(start, ':') - start);
- start += strlen(self->username) + 1;
- self->password = px_strndup(start, strchr(start, '@') - start);
- start += strlen(self->password) + 1;
+ if (colpos > atpos || colpos == NULL) { // we have user (and possibly port), but no pass
+ self->username = px_strndup(start, atpos - start);
+ start += strlen(self->username) + 1;
+ } else { // regular user and pass
+ self->username = px_strndup(start, colpos - start);
+ start += strlen(self->username) + 1;
+ self->password = px_strndup(start, atpos - start);
+ start += strlen(self->password) + 1;
+ }
}
/* Get host */
@@ -337,6 +344,8 @@
self->url = px_malloc0(strlen(url) + 1);
if (self->username && self->password)
snprintf(self->url, strlen(url) + 1, "%s://%s:%s@%s", self->scheme, self->username, self->password, self->host);
+ else if (self->username)
+ snprintf(self->url, strlen(url) + 1, "%s://%s@%s", self->scheme, self->username, self->host);
else
snprintf(self->url, strlen(url) + 1, "%s://%s", self->scheme, self->host);
if (port_specified)
