Fix massive post data probile in ecore-con that would cause

post data to be corrupted (as it was never copied into the
ecore con url struct) or could cause crashes if the memory
pointed to became invalid.

git-svn-id: svn+ssh://svn.enlightenment.org/var/svn/e/trunk/ecore@66619 7cbeb6ba-43b4-40fd-8cce-4c39aea84d33

diff --git a/ChangeLog b/ChangeLog
index 1580dfe..0f0dfff 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -447,3 +447,10 @@
 
         * Fix mouse down grab counts going bad by missing events.
 
+2011-12-29 Carsten Haitzler (The Rasterman)
+
+        * Fix massive post data probile in ecore-con that would cause
+        post data to be corrupted (as it was never copied into the
+        ecore con url struct) or could cause crashes if the memory
+        pointed to became invalid.
+

diff --git a/src/lib/ecore_con/ecore_con_private.h b/src/lib/ecore_con/ecore_con_private.h
index 33ee052..e48f553 100644 (file)
--- a/src/lib/ecore_con/ecore_con_private.h
+++ b/src/lib/ecore_con/ecore_con_private.h
@@ -208,6 +208,8 @@ struct _Ecore_Con_Url
    Ecore_Con_Url_Time time_condition;
    double timestamp;
    void *data;
+   
+   void *post_data;
 
    int received;
    int write_fd;

diff --git a/src/lib/ecore_con/ecore_con_url.c b/src/lib/ecore_con/ecore_con_url.c
index c250e84..68e1eac 100644 (file)
--- a/src/lib/ecore_con/ecore_con_url.c
+++ b/src/lib/ecore_con/ecore_con_url.c
@@ -326,6 +326,7 @@ ecore_con_url_free(Ecore_Con_Url *url_con)
    EINA_LIST_FREE(url_con->response_headers, s)
      free(s);
    eina_stringshare_del(url_con->url);
+   if (url_con->post_data) free(url_con->post_data);
    free(url_con);
 #else
    return;
@@ -604,7 +605,7 @@ _ecore_con_url_send(Ecore_Con_Url *url_con,
 #ifdef HAVE_CURL
    Eina_List *l;
    const char *s;
-   char tmp[256];
+   char tmp[512];
 
    if (!ECORE_MAGIC_CHECK(url_con, ECORE_MAGIC_CON_URL))
      {
@@ -627,16 +628,24 @@ _ecore_con_url_send(Ecore_Con_Url *url_con,
 
    if ((mode == MODE_POST) || (mode == MODE_AUTO))
      {
-        if (data)
+        if (url_con->post_data) free(url_con->post_data);
+        url_con->post_data = NULL;
+        if ((data) && (length > 0))
           {
-             if ((content_type) && (strlen(content_type) < 200))
+             url_con->post_data = malloc(length);
+             if (url_con->post_data)
                {
-                  snprintf(tmp, sizeof(tmp), "Content-Type: %s", content_type);
-                  url_con->headers = curl_slist_append(url_con->headers, tmp);
+                  memcpy(url_con->post_data, data, length);
+                  if ((content_type) && (strlen(content_type) < 450))
+                    {
+                       snprintf(tmp, sizeof(tmp), "Content-Type: %s", content_type);
+                       url_con->headers = curl_slist_append(url_con->headers, tmp);
+                    }
+                  curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDS, url_con->post_data);
+                  curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, length);
                }
-
-             curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDS, data);
-             curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, length);
+             else
+               return EINA_FALSE;
           }
         else curl_easy_setopt(url_con->curl_easy, CURLOPT_POSTFIELDSIZE, 0);
         if (mode == MODE_POST)