From f6b84b765d6fa4d95aae5501fedca5cd8903e224 Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon, 19 Feb 2024 23:03:16 +0100
Subject: Bump libweb to 0.3.0

The following commits fix a couple of security issues on libweb.

Because of afe0681c0b26bb64bad55d7e86770f346cfa043e, slcl had to be
updated to set up its struct http_cfg_post.

commit afe0681c0b26bb64bad55d7e86770f346cfa043e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date:   Mon Feb 19 23:00:56 2024 +0100

    Limit maximum multipart/form-data pairs and files

    A malicious user could inject an infinite number of empty files or
    key/value pairs into a request in order to exhaust the device's
    resources.

commit 9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e
Author: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date:   Mon Feb 19 22:49:09 2024 +0100

    html.c: Avoid half-init objects on html_node_add_attr

    The previous implementation would leave half-initialised objects if one
    of the calls to strdup(3) failed. Now, n->attrs is only modified when
    all previous memory allocations were successful.
---
 main.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'main.c')

diff --git a/main.c b/main.c
index a5659a4..d76b225 100644
--- a/main.c
+++ b/main.c
@@ -2090,7 +2090,14 @@ int main(int argc, char *argv[])
     {
         .length = check_length,
         .tmpdir = tmpdir,
-        .user = a
+        .user = a,
+        .post =
+        {
+            /* Arbitrary limit. */
+            .max_files = 10000,
+            /* File upload only requires one pair. */
+            .max_pairs = 1
+        }
     };
 
     unsigned short outport;
-- 
cgit v1.2.3