From: Wilfried Göesgens <willi@citadel.org>
Date: Mon, 5 May 2008 21:23:10 +0000 (+0000)
Subject: * sanitize cookie stuff
X-Git-Tag: v7.86~2285
X-Git-Url: https://code.citadel.org/?a=commitdiff_plain;h=788a49af9c150f1dbf110230352e7b1324dfe3b4;hp=d7c25f23120a33ffd4bbac1aba246413f0d5f045;p=citadel.git

* sanitize cookie stuff
---

diff --git a/webcit/cookie_conversion.c b/webcit/cookie_conversion.c
index 328d72fe1..fd3082b79 100644
--- a/webcit/cookie_conversion.c
+++ b/webcit/cookie_conversion.c
@@ -35,7 +35,7 @@ void stuff_to_cookie(char *cookie, size_t clen, int session,
 
 	len = snprintf(buf, SIZ, "%d|%s|%s|%s|", session, user, pass, room);
 	strcpy(cookie, "");
-	for (i=0; i<len; ++i) {
+	for (i=0; (i < len) && (i * 2 < clen); ++i) {
 		snprintf(&cookie[i*2], clen - i * 2, "%02X", buf[i]);
 	}
 }
@@ -50,13 +50,18 @@ int xtoi(char *in, size_t len)
 {
 	int val = 0;
 	char c = 0;
-	while (isxdigit((byte) *in) && (len-- > 0))
+	while (!IsEmptyStr(in) && isxdigit((byte) *in) && (len-- > 0))
 	{
 		c = *in++;
 		val <<= 4;
-		val += isdigit((unsigned char)c)
-	    	? (c - '0')
-		: (tolower((unsigned char)c) - 'a' + 10);
+		if (!isdigit((unsigned char)c)) {
+			c = tolower((unsigned char) c);
+			if ((c < 'a') || (c > 'f'))
+				return 0;
+			val += c  - 'a' + 10 ;
+		}
+		else
+			val += c - '0';
 	}
 	return val;
 }
@@ -81,7 +86,7 @@ void cookie_to_stuff(char *cookie, int *session,
 	int i, len;
 
 	strcpy(buf, "");
-	len = strlen(cookie) * 2 ;
+	len = strlen(cookie) / 2;
 	for (i=0; i<len; ++i) {
 		buf[i] = xtoi(&cookie[i*2], 2);
 		buf[i+1] = 0;