On Sat, Feb 26, 2022 at 10:55:59AM +0100, prx wrote:
> First, thank you for your interest!
>
> > > Shouldn't we check for truncation on strlcpy and strlcat and goto fail
> > > in that event?
> >
> > With goto abort we get an 500 internal server error.
> >
>
> Moreover, if the strlcpy and strlcat failed, then the file requested
> (gpath) is obviously not found, and httpd switch back to original path.
>
> But to avoid unexpected behaviour, maybe something like this can be enough ?
>
I'd prefer the hard failure. I'm sure someone else will chime in if they
think otherwise. Thanks! :)
> ```
> int gztoolong = 0;
>
> /* check Accept-Encoding header */
> key.kv_key = "Accept-Encoding";
> r = kv_find(&req->http_headers, &key);
>
> if (r != NULL) {
> if (strstr(r->kv_value, "gzip") != NULL) {
> /* append ".gz" to path and check existence */
> if (strlcpy(gzpath, path, sizeof(gzpath)) >= sizeof(gzpath))
> gztoolong = 1;
> if (strlcat(gzpath, ".gz", sizeof(gzpath)) >= sizeof(gzpath))
> gztoolong = 1;
>
> if ((gztoolong == 0) &&
> (access(gzpath, R_OK) == 0) &&
> (stat(gzpath, &gzst) == 0)) {
> path = gzpath;
> st = &gzst;
> kv_add(&resp->http_headers,
> "Content-Encoding", "gzip");
> }
> ```
>
--
Tracey Emery
