> The decoder does not correctly NUL terminate "p" when it shrinks by
> replacing '%xx' with the corresponding octet.
Arrgh. Thanks.
--
Principal Security Engineer, Akamai Technologies
IM: rs...@jabber.me Twitter: RichSalz
__
On Fri, Sep 26, 2014 at 08:12:37PM -0500, Salz, Rich wrote:
> > You're doing "HTML-entity" decoding here. URL decoding uses only the
> > "%xx" stuff. See RFC3986.
> >
> > + else if (*p != '%')
> > + *out++ = *p;
>
> Yes, I was treating it as an HTML form, not just a s
> You're doing "HTML-entity" decoding here. URL decoding uses only the
> "%xx" stuff. See RFC3986.
>
> + else if (*p != '%')
> + *out++ = *p;
Yes, I was treating it as an HTML form, not just a strict URI encoding.
> + /* URL decode? Really shouldn't b
> This code treats non-hex characters as zero, they should trigger an error.
"Be liberal in what you accept" :) If there's a problem with it, the base64
decode or the DER parse will fail later. If there's not a problem with it,
then there.. is no problem.
> > + if (strchr(p, '+') !=
On Thu, Sep 25, 2014 at 09:56:30PM -0500, Salz, Rich wrote:
> +static int tohex(char c)
> + {
> + switch (c)
> + {
> + case '0': return 0;
> + case '1': return 1;
> + case '2': return 2;
> + case '3': return 3;
> + cas
Bonjour Rich,
+static char* urldecode(char* p)
+ {
+ unsigned char* out = (unsigned char *)p;
+ char* save = p;
+
+ for ( ; *p; p++)
+ {
+ if (*p == '+')
+ *out++ = ' ';
You're doing "HTML-entity" decoding here. URL decodi
> I don't see where the OCSP request is de-base64-ified, and URL-decoded.
> In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's
> done directly on the HTTP request line for a GET.
I forgot to post the updated patch. Thanks Erwann.
--
Principal Security Engineer, Akamai
Le 11/09/2014 19:45, Salz, Rich a écrit :
The attached diff adds GET support to ocsp. I'd appreciate any feedback.
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but
it's done directly on the HTTP re
> I don't see where the OCSP request is de-base64-ified, and URL-decoded.
> In both cases, d2i_OCSP_REQUEST_bio is called to get the request, but it's
> done directly on the HTTP request line for a GET.
Doh! Right :(
__
OpenSSL
(trying a resend, my email address has changed)
Le 11/09/2014 19:45, Salz, Rich a écrit :
The attached diff adds GET support to ocsp. I'd appreciate any feedback.
I don't see where the OCSP request is de-base64-ified, and URL-decoded.
In both cases, d2i_OCSP_REQUEST_bio is called to get the
10 matches
Mail list logo
