Project

General

Profile

Bug #2564

strtol() usage

Added by Olaf-van-der-Spek over 3 years ago. Updated over 1 year ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2014-03-26
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

Lighttpd is using strtol() and atoi() to parse numbers, but I think it's not properly checking for errors.

For example:
server.port = " 80" // good
server.port = "80 " // bad

The code isn't checking for range errors. You might want to use a simple strtol() wrapper to fix this.

Associated revisions

Revision 3122 (diff)
Added by stbuehler over 1 year ago

validate return values from strtol, strtoul (fixes #2564)

From: Glenn Strauss <>

Revision f5453290 (diff)
Added by gstrauss over 1 year ago

validate return values from strtol, strtoul (fixes #2564)

From: Glenn Strauss <>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3122 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1

Updated by darix over 3 years ago

use

server.port = 80

#2

Updated by Olaf-van-der-Spek over 3 years ago

darix wrote:

use [...]

I know, just pointing out an inconsistency.

#3

Updated by gstrauss over 1 year ago

While changes such as this are low priority, consistency is good.

Submitted pull request https://github.com/lighttpd/lighttpd1.4/pull/26

#4

Updated by stbuehler over 1 year ago

  • Target version set to 1.4.x

The question is whether surrounding whitespace should actually be rejected - and given that we accepted it for some time I'd rather not change that.

#5

Updated by gstrauss over 1 year ago

Would you accept the patch if I modify the patch hunk for configparser.y to issue a warning instead of an error? Checking strtol() for errors is not a bad thing. Whether or not to propagate the error is the question, and you have shared that you prefer not change existing behavior to propagate the error for config parsing. There are other uses of strtol() where some extra checks can improve robustness of the code.

#6

Updated by gstrauss over 1 year ago

Updated https://github.com/lighttpd/lighttpd1.4/pull/26 to change config parsing strtol() error to a warning.

#7

Updated by stbuehler over 1 year ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r3122.

#8

Updated by stbuehler over 1 year ago

  • Target version changed from 1.4.x to 1.4.40

Also available in: Atom