Updates the libinjection

2025-09-29 19:24:29 +03:00 · 2017-04-27 18:40:50 -03:00
parent 2c07a17fa3
commit a4724dfdab
7 changed files with 1155 additions and 699 deletions
--- a/apache2/libinjection/libinjection_html5.c
+++ b/apache2/libinjection/libinjection_html5.c
@@ -71,20 +71,20 @@ void libinjection_h5_init(h5_state_t* hs, const char* s, size_t len, enum html5_

    switch (flags) {
    case DATA_STATE:
-      hs->state = h5_state_data;
-      break;
+        hs->state = h5_state_data;
+        break;
    case VALUE_NO_QUOTE:
-      hs->state = h5_state_before_attribute_name;
-      break;
+        hs->state = h5_state_before_attribute_name;
+        break;
    case VALUE_SINGLE_QUOTE:
-      hs->state = h5_state_attribute_value_single_quote;
-      break;
+        hs->state = h5_state_attribute_value_single_quote;
+        break;
    case VALUE_DOUBLE_QUOTE:
-      hs->state = h5_state_attribute_value_double_quote;
-      break;
+        hs->state = h5_state_attribute_value_double_quote;
+        break;
    case VALUE_BACK_QUOTE:
-      hs->state = h5_state_attribute_value_back_quote;
-      break;
+        hs->state = h5_state_attribute_value_back_quote;
+        break;
    }
 }

@@ -100,10 +100,18 @@ int libinjection_h5_next(h5_state_t* hs)
 /**
 * Everything below here is private
 *
-*/
+ */
+

 static int h5_is_white(char ch)
 {
+    /*
+     * \t = horizontal tab = 0x09
+     * \n = newline = 0x0A
+     * \v = vertical tab = 0x0B
+     * \f = form feed = 0x0C
+     * \r = cr  = 0x0D
+     */
    return strchr(" \t\n\v\f\r", ch) != NULL;
 }

@@ -112,19 +120,19 @@ static int h5_skip_white(h5_state_t* hs)
    char ch;
    while (hs->pos < hs->len) {
        ch = hs->s[hs->pos];
-	switch (ch) {
-	case 0x00: /* IE only */
-	case 0x20:
-	case 0x09:
-	case 0x0A:
-	case 0x0B: /* IE only */
-	case 0x0C:
+        switch (ch) {
+        case 0x00: /* IE only */
+        case 0x20:
+        case 0x09:
+        case 0x0A:
+        case 0x0B: /* IE only */
+        case 0x0C:
        case 0x0D: /* IE only */
            hs->pos += 1;
-	    break;
-	default:
+            break;
+        default:
            return ch;
-	}
+        }
    }
    return CHAR_EOF;
 }
@@ -259,12 +267,12 @@ static int h5_state_tag_name(h5_state_t* hs)
    pos = hs->pos;
    while (pos < hs->len) {
        ch = hs->s[pos];
-	if (ch == 0) {
-	  /* special non-standard case */
-	  /* allow nulls in tag name   */
-	  /* some old browsers apparently allow and ignore them */
-	  pos += 1;
-	} else if (h5_is_white(ch)) {
+        if (ch == 0) {
+            /* special non-standard case */
+            /* allow nulls in tag name   */
+            /* some old browsers apparently allow and ignore them */
+            pos += 1;
+        } else if (h5_is_white(ch)) {
            hs->token_start = hs->s + hs->pos;
            hs->token_len = pos - hs->pos;
            hs->token_type = TAG_NAME_OPEN;
@@ -332,7 +340,7 @@ static int h5_state_before_attribute_name(h5_state_t* hs)
    default: {
        return h5_state_attribute_name(hs);
    }
-  }
+    }
 }

 static int h5_state_attribute_name(h5_state_t* hs)
@@ -450,12 +458,12 @@ static int h5_state_attribute_value_quote(h5_state_t* hs, char qchar)
    TRACE();

    /* skip initial quote in normal case.
-     * dont do this is pos == 0 since it means we have started
+     * don't do this "if (pos == 0)" since it means we have started
     * in a non-data state.  given an input of '><foo
     * we want to make 0-length attribute name
     */
    if (hs->pos > 0) {
-      hs->pos += 1;
+        hs->pos += 1;
    }


@@ -705,10 +713,13 @@ static int h5_state_comment(h5_state_t* hs)
    char ch;
    const char* idx;
    size_t pos;
+    size_t offset;
+    const char* end = hs->s + hs->len;

    TRACE();
    pos = hs->pos;
    while (1) {
+
        idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos);

        /* did not find anything or has less than 3 chars left */
@@ -719,21 +730,62 @@ static int h5_state_comment(h5_state_t* hs)
            hs->token_type = TAG_COMMENT;
            return 1;
        }
-        ch = *(idx + 1);
+        offset = 1;
+
+        /* skip all nulls */
+        while (idx + offset < end && *(idx + offset) == 0) {
+            offset += 1;
+        }
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+
+        ch = *(idx + offset);
        if (ch != CHAR_DASH && ch != CHAR_BANG) {
            pos = (size_t)(idx - hs->s) + 1;
            continue;
        }
-        ch = *(idx + 2);
+
+        /* need to test */
+#if 0
+        /* skip all nulls */
+        while (idx + offset < end && *(idx + offset) == 0) {
+            offset += 1;
+        }
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+#endif
+
+        offset += 1;
+        if (idx + offset == end) {
+            hs->state = h5_state_eof;
+            hs->token_start = hs->s + hs->pos;
+            hs->token_len = hs->len - hs->pos;
+            hs->token_type = TAG_COMMENT;
+            return 1;
+        }
+
+
+        ch = *(idx + offset);
        if (ch != CHAR_GT) {
            pos = (size_t)(idx - hs->s) + 1;
            continue;
        }
+        offset += 1;

        /* ends in --> or -!> */
        hs->token_start = hs->s + hs->pos;
        hs->token_len = (size_t)(idx - hs->s) - hs->pos;
-        hs->pos = (size_t)(idx - hs->s) + 3;
+        hs->pos = (size_t)(idx + offset - hs->s);
        hs->state = h5_state_data;
        hs->token_type = TAG_COMMENT;
        return 1;