From fc384b16fb9787380746000d3cea2d53fccc548e Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Mon, 28 Feb 2011 12:18:57 +0100
Subject: do not infloop on a query ending in %XY, for invalid hex X or Y

When a query ends in say %gg, (or any invalid hex) e.g.,
http://git.gnome.org/browse/gdlmm/commit/?id=%gg
convert_query_hexchar calls memmove(txt, txt+3, 0), and then returns
txt-1, so the loop in http_parse_querystring never terminates.  The
solution is to make the memmove also copy the trailing NUL.
* html.c (convert_query_hexchar): Fix off-by-one error.

Signed-off-by: Lars Hjemli <hjemli@gmail.com>
---
 html.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html.c b/html.c
index d86b2c1..5336596 100644
--- a/html.c
+++ b/html.c
@@ -249,7 +249,7 @@ char *convert_query_hexchar(char *txt)
 	d1 = hextoint(*(txt+1));
 	d2 = hextoint(*(txt+2));
 	if (d1<0 || d2<0) {
-		memmove(txt, txt+3, n-3);
+		memmove(txt, txt+3, n-2);
 		return txt-1;
 	} else {
 		*txt = d1 * 16 + d2;
-- 
cgit 1.4.1

><td class='sub'>DON'T USE THIS! --- web frontend for git
</td><td class='sub right'></td></tr></table>
<table class='tabs'><tr><td>
<a href='/cgit-pink/about/?h=1.3.0'>about</a> <a href='/cgit-pink/?h=1.3.0'>summary</a> <a href='/cgit-pink/refs/?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc'>refs</a> <a class='active' href='/cgit-pink/log/filters/email-gravatar.lua?h=1.3.0&amp;showmsg=1&amp;follow=1'>log</a> <a href='/cgit-pink/tree/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc'>tree</a> <a href='/cgit-pink/commit/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;follow=1'>commit</a> <a href='/cgit-pink/diff/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;follow=1'>diff</a></td><td class='form'><form class='right' method='get' action='/cgit-pink/log/filters/email-gravatar.lua'>
<input type='hidden' name='h' value='1.3.0'/><input type='hidden' name='id' value='9dde6d38e9fc273fc62386eeda0da2e89a2cebfc'/><input type='hidden' name='showmsg' value='1'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/cgit-pink/log/?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;showmsg=1&amp;follow=1'>root</a>/<a href='/cgit-pink/log/filters?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;showmsg=1&amp;follow=1'>filters</a>/<a href='/cgit-pink/log/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;showmsg=1&amp;follow=1'>email-gravatar.lua</a> (<a href='/cgit-pink/log/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;showmsg=1'>unfollow</a>)</div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/cgit-pink/log/filters/email-gravatar.lua?h=1.3.0&amp;id=9dde6d38e9fc273fc62386eeda0da2e89a2cebfc&amp;follow=1'>Collapse</a>)</th><th class='left'>Author</th></tr>
<tr class='logheader'><td><span title='2014-01-17 14:01:27 +0100'>2014-01-17</span></td><td class='logsubject'><a href='/cgit-pink/commit/ui-repolist.c?h=1.3.0&amp;id=a2b6b3717567a5b57a19d19ed89af324296f39a9&amp;follow=1'>repolist: make owner clickable to search</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-17 13:53:37 +0100'>2014-01-17</span></td><td class='logsubject'><a href='/cgit-pink/commit/ui-shared.c?h=1.3.0&amp;id=3cbbb8ea39d7a85cb5d3c14f81abb174a8b49b95&amp;follow=1'>ui-shared: move about tab all the way to the left</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
There were no objections (at the time of committing this):
   http://lists.zx2c4.com/pipermail/cgit/2013-May/001393.html
   http://lists.zx2c4.com/pipermail/cgit/2014-January/001904.html

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-17 13:53:02 +0100'>2014-01-17</span></td><td class='logsubject'><a href='/cgit-pink/commit/filter.c?h=1.3.0&amp;id=9786f4613da38cb263e76263370d7816a9347149&amp;follow=1'>filter: don't forget to reap the auth filter</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-17 00:48:17 +0100'>2014-01-17</span></td><td class='logsubject'><a href='/cgit-pink/commit/cgit.c?h=1.3.0&amp;id=9999b0a3e915c76a52be433830660e803ef71cb0&amp;follow=1'>cgit.c: free tmp variable</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-17 00:44:54 +0100'>2014-01-17</span></td><td class='logsubject'><a href='/cgit-pink/commit/ui-stats.h?h=1.3.0&amp;id=f60ffa143cca61e9729ac71033e1a556cf422871&amp;follow=1'>Switch to exclusively using global ctx</a></td><td>Lukas Fleischer</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
Drop the context parameter from the following functions (and all static
helpers used by them) and use the global context instead:

* cgit_print_http_headers()
* cgit_print_docstart()
* cgit_print_pageheader()

Remove context parameter from all commands

Drop the context parameter from the following functions (and all static
helpers used by them) and use the global context instead:

* cgit_get_cmd()
* All cgit command functions.
* cgit_clone_info()
* cgit_clone_objects()
* cgit_clone_head()
* cgit_print_plain()
* cgit_show_stats()

In initialization routines, use the global context variable instead of
passing a pointer around locally.

Remove callback data parameter for cache slots

This is no longer needed since the context is always read from the
global context variable.

Signed-off-by: Lukas Fleischer &lt;cgit@cryptocrack.de&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 23:21:54 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/ui-shared.h?h=1.3.0&amp;id=a431326e8fab8153905fbde036dd3c9fb4cc8eaa&amp;follow=1'>auth: have cgit calculate login address</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
This way we're sure to use virtual root, or any other strangeness
encountered.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 19:47:35 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/filters/simple-authentication.lua?h=1.3.0&amp;id=df00ab1096868b3cffe563c48de5572f78b50392&amp;follow=1'>auth: lua string comparisons are time invariant</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
By default, strings are compared by hash, so we can remove this comment.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 12:13:39 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/filters/simple-authentication.lua?h=1.3.0&amp;id=b826537cb4aa2358027ffcb1dd6a87274734e962&amp;follow=1'>authentication: use hidden form instead of referer</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
This also gives us some CSRF protection. Note that we make use of the
hmac to protect the redirect value.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 02:28:12 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/ui-shared.c?h=1.3.0&amp;id=d6e9200cc35411f3f27426b608bcfdef9348e6d3&amp;follow=1'>auth: add basic authentication filter framework</a></td><td>Jason A. Donenfeld</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.

Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.

Very plugable and extendable depending on user needs.

The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.

Signed-off-by: Jason A. Donenfeld &lt;Jason@zx2c4.com&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 00:53:18 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/tests/t0111-filter.sh?h=1.3.0&amp;id=3741254a6989b2837cd8d20480f152f0096bcb9a&amp;follow=1'>t0111: Additions and fixes</a></td><td>Lukas Fleischer</td></tr>
<tr class='nohover-highlight'><td/><td colspan='3' class='logmsg'>
* Rename the capitalize-* filters to dump.* since they also dump the
  arguments.

* Add full argument validation to the email filters.

Signed-off-by: Lukas Fleischer &lt;cgit@cryptocrack.de&gt;


</td></tr>
<tr class='logheader'><td><span title='2014-01-16 00:53:08 +0100'>2014-01-16</span></td><td class='logsubject'><a href='/cgit-pink/commit/parsing.c?h=1.3.0&amp;id=2a7dd4bf67edeff2c6c4f6d6d39d2d7f954d978a&amp;follow=1'>parsing.c: Remove leading space from committer</a></td><td>Lukas Fleischer