summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--Makefile4
-rw-r--r--debian/changelog13
-rw-r--r--src/httpd.c15
-rw-r--r--src/i18n.h7
5 files changed, 28 insertions, 12 deletions
diff --git a/.gitignore b/.gitignore
index 2a46c53..5e9d484 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
sear.c
tmp/
valgrind-out.txt
+core
diff --git a/Makefile b/Makefile
index bd7c26b..6db7b8c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
DESTDIR=/
-
+CC = cc
.NOTPARALLEL:
default:
mkdir tmp -p
@@ -9,7 +9,7 @@ default:
echo ', 0' >> tmp/hp.xxd
xxd -i < src/osdd.xml > tmp/osdd.xxd
echo ', 0' >> tmp/osdd.xxd
- gcc -Wall -Wextra -pedantic -Wno-unused-parameter -g -Isrc -Itmp -pthread src/main.c $$(xml2-config --libs --cflags) -lmicrohttpd -lm -osear.c
+ $(CC) -Wall -Wextra -pedantic -Wno-unused-parameter -g -Isrc -Itmp -pthread src/main.c $$(xml2-config --libs --cflags) -lmicrohttpd -lm -osear.c
install:
mkdir -p $(DESTDIR)/usr/bin/
diff --git a/debian/changelog b/debian/changelog
index 39ba5db..5dcb664 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,19 @@
+sear.c (0.0.16-1) stable; urgency=low
+
+ * fixed a DoS and possibly RCE security vulnerability that was introduced in
+ 0.0.12 because of not accounting for length of add_form and not accounting
+ for the added parameter in hp printf format string
+ * added notice when SC_LOGMEM is disabled for accessing logs and enabling
+ heap logging
+ * all users of versions 0.0.12, 0.0.13, 0.0.14 and 0.0.15 must upgrade asap
+
+ -- Anton Luka Šijanec <anton@sijanec.eu> Tue, 05 Oct 2021 16:00:00 +0200
+
sear.c (0.0.15-1) stable; urgency=low
* fixed osdd inclusion mechanism for firefox browsers, link needed title
- -- Anton Luka Šijanec <anton@sijanec.eu> Tue, 21 Sep 2021 14:00:00 +0200
+ -- Anton Luka Šijanec <anton@sijanec.eu> Tue, 21 Sep 2021 14:00:00 +0200
sear.c (0.0.14-3) stable; urgency=low
diff --git a/src/httpd.c b/src/httpd.c
index dfa06db..514f57a 100644
--- a/src/httpd.c
+++ b/src/httpd.c
@@ -152,16 +152,19 @@ enum MHD_Result sc_httpd (void * cls,
sprintf(response, sc_osdd, host);
content_type = "application/opensearchdescription+xml";
break;
-#ifdef SC_LOGMEM
case 'l': /* logs.html */
{
+#ifdef SC_LOGMEM
char * logshtml = sc_logshtml(c);
- response = malloc(strlen((char *) sc_hp)+strlen(SC_I18N_LOGS)+strlen(logshtml ? logshtml : SC_I18N_LOGS_ERROR));
- sprintf(response, (char *) sc_hp, "", "", SC_I18N_LOGS, logshtml ? logshtml : SC_I18N_LOGS_ERROR);
+ response = malloc(strlen((char *) sc_hp)+strlen(SC_I18N_LOGS)+strlen(logshtml ? logshtml : SC_I18N_LOGS_ERROR)+strlen(add_form));
+ sprintf(response, (char *) sc_hp, "", "", add_form, SC_I18N_LOGS, logshtml ? logshtml : SC_I18N_LOGS_ERROR);
free(logshtml);
+#else
+ response = malloc(strlen((char *) sc_hp)+strlen(SC_I18N_LOGS_NOT_ENABLED)+strlen(SC_I18N_HP_ERROR_HEADING)+strlen(SC_I18N_LOGS)+strlen(add_form));
+ sprintf(response, (char *) sc_hp, SC_I18N_HP_ERROR_HEADING, "", add_form, SC_I18N_LOGS, SC_I18N_LOGS_NOT_ENABLED);
+#endif
}
break;
-#endif
}
if (!response) {
response = malloc(strlen((char *) sc_hp)+strlen(SC_I18N_HP_HEADING)+strlen(SC_I18N_HP_BODY)+strlen(add_form));
@@ -187,8 +190,8 @@ retry:
sc_query_google(query, c, NULL, opt);
if (already_retried++) {
char * safequery = htmlspecialchars(query);
- response = malloc(strlen((char*) sc_hp)+strlen(safequery)*2+strlen(SC_I18N_HP_ERROR_HEADING)+strlen(SC_I18N_HP_ERROR_BODY));
- sprintf(response, (char *) sc_hp, safequery, safequery, SC_I18N_HP_ERROR_HEADING, SC_I18N_HP_ERROR_BODY);
+ response = malloc(strlen((char*) sc_hp)+strlen(safequery)*2+strlen(SC_I18N_HP_ERROR_HEADING)+strlen(SC_I18N_HP_ERROR_BODY)+strlen(add_form));
+ sprintf(response, (char *) sc_hp, safequery, safequery, add_form, SC_I18N_HP_ERROR_HEADING, SC_I18N_HP_ERROR_BODY);
free(safequery);
} else goto retry;
}
diff --git a/src/i18n.h b/src/i18n.h
index 9b5a7cc..8e97c33 100644
--- a/src/i18n.h
+++ b/src/i18n.h
@@ -3,7 +3,7 @@
#define SC_I18N_NO_DESCRIPTION "ni opisa"
#define SC_I18N_HP_HEADING "dobrodošli na prvo stran <code>sear.c</code>"
#define SC_I18N_HP_BODY "<code>sear.c</code> je program za anonimizacijo in predpomnenje rezultatov spletnih iskalnikov. " \
- "Za uporabo nekaj vnesite v iskalno vrstico zgoraj in pritisnite gumb za iskanje."
+ "Za uporabo nekaj vnesite v iskalno vrstico zgoraj in pritisnite gumb za iskanje."
#define SC_I18N_NUMBER_OF_RESULTS "število zadetkov"
#define SC_I18N_QUERY_TIME "čas poizvedbe"
#define SC_I18N_DATETIME_FORMAT "%c"
@@ -12,7 +12,8 @@
#define SC_I18N_FAILED "ni uspelo"
#define SC_I18N_HP_ERROR_HEADING "napaka!"
#define SC_I18N_HP_ERROR_BODY "Pridobivanje rezultatov ni uspelo. Mogoče ni rezultatov. " \
- "Preberite <a href=/logs.html>dnevniške zapise</a>."
+ "Preberite sistemske dnevnike."
#define SC_I18N_LOGS "dnevniški zapisi"
-#define SC_I18N_LOGS_ERROR "napaka pri branju dnevniških datotek"
+#define SC_I18N_LOGS_ERROR "napaka pri branju dnevnikov"
+#define SC_I18N_LOGS_NOT_ENABLED "Zbiranje dnevniških zapisov v delovni pomnilnik ni omogočeno. <code>sear.c</code> prevedite z <code>make -e CC=\"cc -DSC_LOGMEM\"</code>; z nastavitvijo zastavice <code>SC_LOGMEM</code> omogočite pregled dnevniških zapisov znotraj aplikacije. Vselej pa se vsi dnevniški zapisi pišejo tudi na standardni izhod, kar se v primeru uporabe <code>sear.c</code> kot <code>systemd</code> storitve shranjuje v sistemske dnevnike."
#define SC_I18N_GIT_URL "//git.sijanec.eu/sijanec/sear.c"
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 22:53:26 +0100