This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v6] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
On Jun 12 2018, Carlos O'Donell <carlos@redhat.com> wrote:
> + /* Check for matching name, following closing curly brace (if
> + required), or trailing characters which are part of an
> + identifier. */
> + size_t rlen = strlen (ref);
> + if (strncmp (input, ref, rlen) != 0
> + || (is_curly && input[rlen] != '}')
> + || ((input[rlen] >= 'A' && input[rlen] <= 'Z')
> + || (input[rlen] >= 'a' && input[rlen] <= 'z')
> + || (input[rlen] >= '0' && input[rlen] <= '9')
> + || (input[rlen] == '_')))
That will always reject ${FOO}. If is_curly is true, the other checks
must not be performed.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
- References:
- [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
- Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
- Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
- Re: [PATCH v4] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
- Re: [PATCH v4] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
- [PATCH v6] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).