[dovecot/core] 9a5b49: lib-http: harden payload tests against dodgy filen...
GitHub
noreply at github.com
Thu Aug 30 15:30:13 EEST 2018
Branch: refs/heads/master
Home: https://github.com/dovecot/core
Commit: 9a5b493cc40712d9be0affa9e7ee8ceb06cad4f2
https://github.com/dovecot/core/commit/9a5b493cc40712d9be0affa9e7ee8ceb06cad4f2
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib-http/test-http-payload.c
Log Message:
-----------
lib-http: harden payload tests against dodgy filenames
Tests use files from readdir() as input, but do no sanitation of the
names, and therefore things like editor temp files can cause havoc
with the HTTP request parser.
The solution is to trap dodgy characters in the filenames, and ignore
those files. Initially, trap HTTP's "unsafe" and "reserved" characters.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: c00c6386b45a9840c724bbae620807921c5b715f
https://github.com/dovecot/core/commit/c00c6386b45a9840c724bbae620807921c5b715f
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib-http/http-client.c
M src/lib-http/http-server.c
Log Message:
-----------
lib-http: change default client/server pool sizes when using SSL
SSL carries a lot of state with it, so just start with a bigger
pool if we know we're using it.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: 14fe3df51a7048b2901e9d1ebbba748c07079adc
https://github.com/dovecot/core/commit/14fe3df51a7048b2901e9d1ebbba748c07079adc
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib-http/http-request-parser.c
Log Message:
-----------
lib-http: library default pool allocation increases
Many pools will need to grow even when the smallest amount of work is
done within them, which can spam the logs.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: 07c6d395e43b8606da7557377a1315993c675805
https://github.com/dovecot/core/commit/07c6d395e43b8606da7557377a1315993c675805
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib-http/test-http-payload.c
M src/lib-http/test-http-server-errors.c
Log Message:
-----------
lib-http: increase pool sizes in tests
Pool growth messages spam the test output, just dive in with a slightly
larger default to shut them up. Only affects these individual tests,
not any other users of the library.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: ef47c3da96788e4a18db5b8d0149168fd13e0f5e
https://github.com/dovecot/core/commit/ef47c3da96788e4a18db5b8d0149168fd13e0f5e
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M m4/dovecot.m4
Log Message:
-----------
m4/dovecot.m4 - Apply DRY principle to test output filename
Define the name we will use for the file once, then just use that variable
instead of using explicit repeatition.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: 52c1c9950e473201ff301eef3d7f899ca272b5aa
https://github.com/dovecot/core/commit/52c1c9950e473201ff301eef3d7f899ca272b5aa
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M m4/dovecot.m4
Log Message:
-----------
m4/dovecot.m4: rename valgrind output file to hide it from certain tests
Some lib-http tests use readdir() to create test cases, and sometimes
object to the contents of test.out.$$. However, as lib-http is also
sensitive to certain characters in the filenames of the files it uses,
we can hide the valgrind output by chosing its filename to exclude it
from the lib_http tests. Non-initial '~' is not known to cause any issues
for either the shell or any known operating system, so is the safest of
lib-http's 'dodgy' characters to use as the separator.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: 4adae0e1a832f88f5737a13c6fe2537d9e47835c
https://github.com/dovecot/core/commit/4adae0e1a832f88f5737a13c6fe2537d9e47835c
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib/array.h
Log Message:
-----------
lib/array - give arrays the non-freeing deinit that strings and buffers have
Buffers provide the ability to free the control block but preserve and
return the previously controlled data to the caller: buffer_free_without_data().
As wrapped buffers, strings also have this functionality: str_free_without_data().
(They have to do that, as their buffer implementation is encapsulated away
out of sight to the str.h user.)
Arrays, also wrapped buffers, are missing this capability under the 'array'
name, you have to use the buffer function call, which involves diving into
the guts of the array implementation (because arrays do not hide their
implementation like strings do), and also sacrifices array's type safety.
With this inline helper, it should be simple, obvious, clean and safe.
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: b8294e0c20dfda55280271b26310625f39470ec1
https://github.com/dovecot/core/commit/b8294e0c20dfda55280271b26310625f39470ec1
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/lib/test-array.c
Log Message:
-----------
lib: test-array - tests that freeing without data doesn't free the data
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Commit: 9d1c335716bf75f2e751cd7272fd4f7feca2b6d0
https://github.com/dovecot/core/commit/9d1c335716bf75f2e751cd7272fd4f7feca2b6d0
Author: Phil Carmody <phil at dovecot.fi>
Date: 2018-08-30 (Thu, 30 Aug 2018)
Changed paths:
M src/pop3/pop3-client.c
Log Message:
-----------
pop3: use array interface rather than internal buffer to access data
Signed-off-by: Phil Carmody <phil at dovecot.fi>
Compare: https://github.com/dovecot/core/compare/0ad7ac26ac81...9d1c335716bf
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the dovecot-cvs
mailing list