diff options
| author | Xavier Del Campo Romero <xavi.dcr@tutanota.com> | 2024-02-19 23:03:16 +0100 |
|---|---|---|
| committer | Xavier Del Campo Romero <xavi.dcr@tutanota.com> | 2024-02-19 23:35:08 +0100 |
| commit | f6b84b765d6fa4d95aae5501fedca5cd8903e224 (patch) | |
| tree | 41d7d68279c42e8e6b725ce451217c9a50dea641 | |
| parent | 0f889b409e20aea188e88b79b73ded992fc6af33 (diff) | |
| download | slcl-f6b84b765d6fa4d95aae5501fedca5cd8903e224.tar.gz | |
Bump libweb to 0.3.0
The following commits fix a couple of security issues on libweb.
Because of afe0681c0b26bb64bad55d7e86770f346cfa043e, slcl had to be
updated to set up its struct http_cfg_post.
commit afe0681c0b26bb64bad55d7e86770f346cfa043e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon Feb 19 23:00:56 2024 +0100
Limit maximum multipart/form-data pairs and files
A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.
commit 9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon Feb 19 22:49:09 2024 +0100
html.c: Avoid half-init objects on html_node_add_attr
The previous implementation would leave half-initialised objects if one
of the calls to strdup(3) failed. Now, n->attrs is only modified when
all previous memory allocations were successful.
| -rw-r--r-- | CMakeLists.txt | 2 | ||||
| m--------- | libweb | 0 | ||||
| -rw-r--r-- | main.c | 9 |
3 files changed, 9 insertions, 2 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 9b2e5eb..c0f72fa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -13,7 +13,7 @@ add_executable(${PROJECT_NAME} target_compile_options(${PROJECT_NAME} PRIVATE -Wall) target_compile_definitions(${PROJECT_NAME} PRIVATE _FILE_OFFSET_BITS=64) set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_LIST_DIR}/cmake) -find_package(web 0.2.0) +find_package(web 0.3.0) if(WEB_FOUND) find_package(dynstr 0.1.0) diff --git a/libweb b/libweb -Subproject 6ceae16a20175edb77fb2ffab0d3d6648d01122 +Subproject b4930f72bb9026c5a0871f4fa4cabe20cb0e6a9 @@ -2090,7 +2090,14 @@ int main(int argc, char *argv[]) { .length = check_length, .tmpdir = tmpdir, - .user = a + .user = a, + .post = + { + /* Arbitrary limit. */ + .max_files = 10000, + /* File upload only requires one pair. */ + .max_pairs = 1 + } }; unsigned short outport; |