From: Dan Wells <dbw2@calvin.edu>
Date: Tue, 6 Mar 2012 20:08:33 +0000 (-0500)
Subject: Protect gateway from format-string crashes in data
X-Git-Tag: osrf_rel_2_1_0-alpha1~2
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=974d3a0dd4ddd134033b16bcd9e2fde34302ffd5;p=OpenSRF.git

Protect gateway from format-string crashes in data

As a common security measure, printf-style formatting codes are
not allowed to be directly interpreted from a writable segment.
The gateway code currently has the following function call:

osrfLogActivity( OSRF_LOG_MARK, act->buf );

This is a variadic function which expects the 'act->buf' position
to contain a format string and any trailing arguments to be the
values passed to the formatter.  Since act->buf is the value of
what we passed in, some data inadvertantly contains format strings,
and since it is a writable segment, the program crashes.  Here is
an example of a crash-causing call:

http://localhost/osrf-gateway-v1?service=test&method=test&param=%22%251n%22

The param is interpreted as "%1n" and abruptly fails.

The simple solution is to include a formatter so that our param gets
demoted to being mere data, i.e.:

osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf );

Signed-off-by: Dan Wells <dbw2@calvin.edu>
Signed-off-by: Dan Scott <dscott@laurentian.ca>
---

diff --git a/src/gateway/osrf_json_gateway.c b/src/gateway/osrf_json_gateway.c
index 5282972..53094e3 100644
--- a/src/gateway/osrf_json_gateway.c
+++ b/src/gateway/osrf_json_gateway.c
@@ -300,7 +300,7 @@ static int osrf_json_gateway_method_handler (request_rec *r) {
 			}
 		}
 
-		osrfLogActivity( OSRF_LOG_MARK, act->buf );
+		osrfLogActivity( OSRF_LOG_MARK, "%s", act->buf );
 		buffer_free(act);
 		/* ----------------------------------------------------------------- */