From: ncopa at alpinelinux.org (Natanael Copa)
Subject: [PATCH] cgit: use strtol_i instead of atoi
Date: Wed, 13 May 2015 15:21:01 +0200 [thread overview]
Message-ID: <1431523261-982-1-git-send-email-ncopa@alpinelinux.org> (raw)
The use of atoi triggers a false positive in nessus security scanner who
believes it is an SQL injection.
Make nessus users happy by making the integer conversion slightly more
strict.
Signed-off-by: Natanael Copa <ncopa at alpinelinux.org>
---
cgit.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/cgit.c b/cgit.c
index ae413c6..fccde9e 100644
--- a/cgit.c
+++ b/cgit.c
@@ -307,7 +307,7 @@ static void querystring_cb(const char *name, const char *value)
ctx.qry.sha2 = xstrdup(value);
ctx.qry.has_sha1 = 1;
} else if (!strcmp(name, "ofs")) {
- ctx.qry.ofs = atoi(value);
+ strtol_i(value, 10, &ctx.qry.ofs);
} else if (!strcmp(name, "path")) {
ctx.qry.path = trim_end(value, '/');
} else if (!strcmp(name, "name")) {
@@ -317,22 +317,26 @@ static void querystring_cb(const char *name, const char *value)
} else if (!strcmp(name, "s")) {
ctx.qry.sort = xstrdup(value);
} else if (!strcmp(name, "showmsg")) {
- ctx.qry.showmsg = atoi(value);
+ strtol_i(value, 10, &ctx.qry.showmsg);
} else if (!strcmp(name, "period")) {
ctx.qry.period = xstrdup(value);
} else if (!strcmp(name, "dt")) {
- ctx.qry.difftype = atoi(value);
+ int difftype = 0;
+ strtol_i(value, 10, &difftype);
+ ctx.qry.difftype = difftype;
ctx.qry.has_difftype = 1;
} else if (!strcmp(name, "ss")) {
/* No longer generated, but there may be links out there. */
- ctx.qry.difftype = atoi(value) ? DIFF_SSDIFF : DIFF_UNIFIED;
+ int n = 0;
+ strtol_i(value, 10, &n);
+ ctx.qry.difftype = n ? DIFF_SSDIFF : DIFF_UNIFIED;
ctx.qry.has_difftype = 1;
} else if (!strcmp(name, "all")) {
- ctx.qry.show_all = atoi(value);
+ strtol_i(value, 10, &ctx.qry.show_all);
} else if (!strcmp(name, "context")) {
- ctx.qry.context = atoi(value);
+ strtol_i(value, 10, &ctx.qry.context);
} else if (!strcmp(name, "ignorews")) {
- ctx.qry.ignorews = atoi(value);
+ strtol_i(value, 10, &ctx.qry.ignorews);
}
}
--
2.4.0
next reply other threads:[~2015-05-13 13:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 13:21 ncopa [this message]
2015-05-13 13:35 ` Jason
2015-05-13 13:41 ` john
2015-05-13 13:45 ` john
2015-05-13 14:57 ` jamie.couture
2015-05-15 7:11 ` ncopa
2015-05-15 6:58 ` ncopa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1431523261-982-1-git-send-email-ncopa@alpinelinux.org \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).