segfault in slist_item() when value is NULL
LeSpocky opened this issue · 1 comments
In slist_add()
there's no check on the contents of item->name
or item->value
so items with name or value set to NULL can be added to the list.
The functions slist_delete()
and slist_item()
access item->name
which would cause a segfault if name is set to NULL.
Additionally in slist_item()
also item->value
is accessed and can be NULL, here:
return (!begin->value[0] ? NULL : begin->value);
While libcgi does not add items with empty names by itself, it may add items with empty values. For example on POST requests with empty text boxes a QUERY_STRING can be like this:
foo=&bar=baz
The segfault happens in the above mentioned line in slist_item()
, if the list is then accessed via cgi_param( "foo" )
💥
I suggest we allow the value to be set to NULL and return NULL in slist_item() in this case.
The question remains if we should also allow adding items with empty name in slist_add()
, but that's subject of another topic. 😉
Currently slist_item()
returns NULL on an empty string aka if the first byte of item->value
is the null termination of the string. People maybe rely on this, so we should not break it, although it would be possible and maybe more intuitive to return a pointer to the empty string.