mirror of
https://github.com/xroche/httrack.git
synced 2026-07-12 03:46:58 +03:00
Compare commits
1 Commits
fix-15-coo
...
fix-codeql
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
349c07f4ca |
@@ -2004,15 +2004,6 @@ LLint http_xfread1(htsblk * r, int bufl) {
|
||||
|
||||
if (bufl > 0) {
|
||||
if (!r->is_write) { // stocker en mémoire
|
||||
// In-memory content must fit a 32-bit index (allocs below add 1, reads
|
||||
// use int offsets): reject a hostile Content-Length or endless stream.
|
||||
const LLint inmem_want =
|
||||
(r->totalsize >= 0) ? r->totalsize : (r->size + bufl);
|
||||
if (inmem_want >= INT32_MAX) {
|
||||
r->statuscode = STATUSCODE_INVALID;
|
||||
strcpybuff(r->msg, "In-memory content too large");
|
||||
return READ_ERROR;
|
||||
}
|
||||
if (r->totalsize >= 0) { // totalsize déterminé ET ALLOUE
|
||||
if (r->adr == NULL) {
|
||||
r->adr = (char *) malloct((size_t) r->totalsize + 1);
|
||||
|
||||
@@ -4311,7 +4311,6 @@ int hts_wait_delayed(htsmoduleStruct * str, lien_adrfilsave *afs,
|
||||
*forbidden_url == 0 && IS_DELAYED_EXT(afs->save) && !opt->state.stop) {
|
||||
int loops;
|
||||
int continue_loop;
|
||||
char BIGSTK jar_snapshot[sizeof(((t_cookie *) 0)->data)]; /* #15 */
|
||||
|
||||
hts_log_print(opt, LOG_DEBUG, "Waiting for type to be known: %s%s", afs->af.adr,
|
||||
afs->af.fil);
|
||||
@@ -4320,10 +4319,6 @@ int hts_wait_delayed(htsmoduleStruct * str, lien_adrfilsave *afs,
|
||||
for(loops = 0, continue_loop = 1;
|
||||
IS_DELAYED_EXT(afs->save) && continue_loop && loops < 7; loops++) {
|
||||
continue_loop = 0;
|
||||
/* #15: snapshot jar to detect a Set-Cookie set by a self-redirect */
|
||||
jar_snapshot[0] = '\0';
|
||||
if (opt->accept_cookie && opt->cookie != NULL)
|
||||
strlcpybuff(jar_snapshot, opt->cookie->data, sizeof(jar_snapshot));
|
||||
|
||||
/* Wait for an available slot */
|
||||
if (!hts_wait_available_socket(sback, opt, cache, ptr))
|
||||
@@ -4521,11 +4516,6 @@ int hts_wait_delayed(htsmoduleStruct * str, lien_adrfilsave *afs,
|
||||
/* Moved! */
|
||||
else if (HTTP_IS_REDIRECT(back[b].r.statuscode)) {
|
||||
char BIGSTK mov_url[HTS_URLMAXSIZE * 2];
|
||||
/* #15: raw headers are gone here, but a Set-Cookie was folded into
|
||||
* the jar; a changed jar is the cookie-wall signal. */
|
||||
const hts_boolean jar_changed =
|
||||
opt->accept_cookie && opt->cookie != NULL &&
|
||||
strcmp(jar_snapshot, opt->cookie->data) != 0;
|
||||
|
||||
mov_url[0] = '\0';
|
||||
strcpybuff(mov_url, back[b].r.location); // copier URL
|
||||
@@ -4595,24 +4585,11 @@ int hts_wait_delayed(htsmoduleStruct * str, lien_adrfilsave *afs,
|
||||
url_savename(afs, former, heap(ptr)->adr, heap(ptr)->fil,
|
||||
opt, sback, cache, hash, ptr, numero_passe,
|
||||
&delayed_back);
|
||||
} else if (jar_changed) {
|
||||
// #15: cookie-wall self-redirect; evict the cached
|
||||
// fast-header so the re-issue refetches with the cookie.
|
||||
if (cache->cached_tests != NULL)
|
||||
coucal_remove(cache->cached_tests,
|
||||
concat(OPT_GET_BUFF(opt),
|
||||
OPT_GET_BUFF_SIZE(opt), afs->af.adr,
|
||||
afs->af.fil));
|
||||
afs->save[0] = '\0';
|
||||
url_savename(afs, former, heap(ptr)->adr, heap(ptr)->fil, opt,
|
||||
sback, cache, hash, ptr, numero_passe,
|
||||
&delayed_back);
|
||||
continue_loop = 1;
|
||||
} else {
|
||||
hts_log_print(opt, LOG_WARNING,
|
||||
"Unable to test %s%s (loop to same filename)",
|
||||
afs->af.adr, afs->af.fil);
|
||||
} // loop to same location
|
||||
} // loop to same location
|
||||
} // ident_url_relatif()
|
||||
} // location
|
||||
} // redirect
|
||||
|
||||
@@ -1310,59 +1310,6 @@ static int st_headerlong(httrackp *opt, int argc, char **argv) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* http_xfread1 must refuse an in-memory buffer whose size would exceed a 32-bit
|
||||
index (hostile Content-Length or endless stream) rather than allocate it.
|
||||
The guard returns before any socket read, so no real connection is needed. */
|
||||
static int st_xfread_limit(httrackp *opt, int argc, char **argv) {
|
||||
htsblk r;
|
||||
|
||||
(void) opt;
|
||||
(void) argc;
|
||||
(void) argv;
|
||||
|
||||
// Content-Length just over 2 GiB.
|
||||
memset(&r, 0, sizeof(r));
|
||||
r.soc = INVALID_SOCKET;
|
||||
r.totalsize = (LLint) INT32_MAX + 1;
|
||||
printf("bylen: refused=%d adr=%s msg=%s\n",
|
||||
http_xfread1(&r, 8192) == READ_ERROR, r.adr != NULL ? "alloc" : "null",
|
||||
r.msg);
|
||||
if (r.adr != NULL)
|
||||
freet(r.adr);
|
||||
|
||||
// Unknown length, buffer already at the limit: the next read would exceed it.
|
||||
memset(&r, 0, sizeof(r));
|
||||
r.soc = INVALID_SOCKET;
|
||||
r.totalsize = -1;
|
||||
r.size = (LLint) INT32_MAX;
|
||||
printf("bygrow: refused=%d adr=%s msg=%s\n",
|
||||
http_xfread1(&r, 8192) == READ_ERROR, r.adr != NULL ? "alloc" : "null",
|
||||
r.msg);
|
||||
if (r.adr != NULL)
|
||||
freet(r.adr);
|
||||
|
||||
// Exactly at the 2 GiB index (size + bufl == INT32_MAX): must also be
|
||||
// refused, since the reallocs below add 1 (a `> INT32_MAX` check would let
|
||||
// this through and overflow the int realloc size).
|
||||
memset(&r, 0, sizeof(r));
|
||||
r.soc = INVALID_SOCKET;
|
||||
r.totalsize = -1;
|
||||
r.size = (LLint) INT32_MAX - 8192;
|
||||
http_xfread1(&r, 8192);
|
||||
printf("boundary: msg=%s\n", r.msg);
|
||||
|
||||
// A legitimate small size must NOT be refused by the guard (the read then
|
||||
// fails on the invalid socket, but the size-too-large msg must not be set).
|
||||
memset(&r, 0, sizeof(r));
|
||||
r.soc = INVALID_SOCKET;
|
||||
r.totalsize = 1000;
|
||||
http_xfread1(&r, 8192);
|
||||
printf("accept: msg=%s\n", r.msg);
|
||||
if (r.adr != NULL)
|
||||
freet(r.adr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Parse a Content-Range header and print the sanitized triple. A hostile value
|
||||
(negative or INT64 extreme) must clamp to 0 without signed-overflow UB. */
|
||||
static int st_crange(httrackp *opt, int argc, char **argv) {
|
||||
@@ -2574,8 +2521,6 @@ static const struct selftest_entry {
|
||||
st_headerlong},
|
||||
{"crange", "<raw-content-range-line> ...",
|
||||
"Content-Range parse integer safety", st_crange},
|
||||
{"xfread-limit", "", "in-memory receive buffer size bound",
|
||||
st_xfread_limit},
|
||||
{"savename", "<fil> <content-type> [key=value ...]",
|
||||
"local save-name for a URL", st_savename},
|
||||
{"sniff", "<content-type> <hex:..|text>", "MIME magic consistency",
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# http_xfread1 must refuse an in-memory receive buffer that would exceed a
|
||||
# 32-bit index (hostile Content-Length, or an endless stream) rather than
|
||||
# allocate it, while still accepting a normal small size. -#test=xfread-limit
|
||||
# drives both refusal paths and the accept path.
|
||||
|
||||
out="$(httrack -O /dev/null -#test=xfread-limit)"
|
||||
for case in bylen bygrow; do
|
||||
echo "$out" | grep -q "${case}: refused=1 adr=null msg=In-memory content too large" || {
|
||||
echo "FAIL ${case}: $out"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
|
||||
# Exactly INT32_MAX must be refused too (the reallocs add 1).
|
||||
echo "$out" | grep -q 'boundary: msg=In-memory content too large' || {
|
||||
echo "FAIL boundary: $out"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# The guard must NOT fire for a legitimate small size.
|
||||
if echo "$out" | grep -q 'accept: msg=In-memory content too large'; then
|
||||
echo "FAIL accept (guard fired on a legit size): $out"
|
||||
exit 1
|
||||
fi
|
||||
@@ -1,18 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Cookie-wall self-redirect (#15): a page 302s to itself with a Set-Cookie;
|
||||
# httrack must replay the cookie and mirror the real page (unknown- and known-ext).
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
: "${top_srcdir:=..}"
|
||||
|
||||
bash "$top_srcdir/tests/local-crawl.sh" --errors 0 \
|
||||
--found 'cookiewall/wall.html' \
|
||||
--file-matches 'cookiewall/wall.html' 'REAL-CONTENT-BEHIND-COOKIE-WALL' \
|
||||
httrack 'BASEURL/cookiewall/index.html'
|
||||
|
||||
bash "$top_srcdir/tests/local-crawl.sh" --errors 0 \
|
||||
--found 'cookiewall2/wall.html' \
|
||||
--file-matches 'cookiewall2/wall.html' 'REAL-CONTENT-BEHIND-COOKIE-WALL' \
|
||||
httrack 'BASEURL/cookiewall2/index.html'
|
||||
@@ -66,7 +66,6 @@ TESTS = \
|
||||
01_engine-urlhack.test \
|
||||
01_engine-unescape-bounds.test \
|
||||
01_engine-useragent.test \
|
||||
01_engine-xfread.test \
|
||||
01_zlib-acceptencoding.test \
|
||||
01_zlib-cache.test \
|
||||
01_zlib-cache-corrupt.test \
|
||||
@@ -119,7 +118,6 @@ TESTS = \
|
||||
45_local-maxsize-recv.test \
|
||||
46_local-update-304-resume.test \
|
||||
47_local-crange-overflow.test \
|
||||
48_local-crange-memresume.test \
|
||||
49_local-cookiewall.test
|
||||
48_local-crange-memresume.test
|
||||
|
||||
CLEANFILES = check-network_sh.cache
|
||||
|
||||
@@ -1143,35 +1143,6 @@ class Handler(SimpleHTTPRequestHandler):
|
||||
def route_delayed_empty(self):
|
||||
self.send_raw(b"", "text/html") # 200 + Content-Length: 0
|
||||
|
||||
# --- /cookiewall/ (#15): a self-redirect that only sets a cookie is a
|
||||
# consent wall; httrack must replay the cookie and fetch the real page.
|
||||
WALL_MARK = b"REAL-CONTENT-BEHIND-COOKIE-WALL"
|
||||
|
||||
def route_cookiewall_index(self):
|
||||
self.send_html('\t<a href="wall.php">wall</a>')
|
||||
|
||||
def route_cookiewall_wall(self):
|
||||
self._cookiewall_reply("wall.php")
|
||||
|
||||
# Known-extension twin: .html so the type is not delayed-resolved.
|
||||
def route_cookiewall2_index(self):
|
||||
self.send_html('\t<a href="wall.html">wall</a>')
|
||||
|
||||
def route_cookiewall2_wall(self):
|
||||
self._cookiewall_reply("wall.html")
|
||||
|
||||
def _cookiewall_reply(self, location):
|
||||
if self.request_cookies().get("gate") == "1":
|
||||
self.send_raw(
|
||||
b"<html><body>" + self.WALL_MARK + b"</body></html>\n", "text/html"
|
||||
)
|
||||
else:
|
||||
self.send_response(302, "Found")
|
||||
self.send_header("Location", location)
|
||||
self.send_header("Set-Cookie", "gate=1; Path=/")
|
||||
self.send_header("Content-Length", "0")
|
||||
self.end_headers()
|
||||
|
||||
# -E time-limit (#481): pages that trickle far longer than any -E budget,
|
||||
# so only an engine-side abort can end the crawl.
|
||||
TRICKLE_SECONDS = 60
|
||||
@@ -1388,10 +1359,6 @@ class Handler(SimpleHTTPRequestHandler):
|
||||
"/delayed/chain7.php": route_delayed_chain,
|
||||
"/delayed/chain8.php": route_delayed_chain,
|
||||
"/delayed/chain9.php": route_delayed_chain,
|
||||
"/cookiewall/index.html": route_cookiewall_index,
|
||||
"/cookiewall/wall.php": route_cookiewall_wall,
|
||||
"/cookiewall2/index.html": route_cookiewall2_index,
|
||||
"/cookiewall2/wall.html": route_cookiewall2_wall,
|
||||
"/redir/index.html": route_redir_index,
|
||||
"/redir/go.php": route_redir_go,
|
||||
"/redir/target.html": route_redir_target,
|
||||
|
||||
Reference in New Issue
Block a user