Home Explore Help
Register Sign In
PSG
/
civetweb
mirror of https://github.com/civetweb/civetweb.git
5
0
Fork 0
Files Issues 0 Wiki
Browse Source

Minor change to civetweb.c

When reporting an error if parse_http_message were to fail, sending back user input as is to the client poses a security risk to browsers. I propose removing the string in the error reporting.
kalphamon 10 years ago
parent
b66d5cdfaf
commit
aba522b352
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      src/civetweb.c

+ 1 - 1
src/civetweb.c
View File 

@@ -8803,7 +8803,7 @@ getreq(struct mg_connection *conn, char *ebuf, size_t ebuf_len, int *err)
 
 	} else if (parse_http_message(
 
 	               conn->buf, conn->buf_size, &conn->request_info) <= 0) {
 
 		snprintf(
 
-		    ebuf, ebuf_len, "Bad request: [%.*s]", conn->data_len, conn->buf);
 
+		    ebuf, ebuf_len, "Bad request: [len=%d]", conn->data_len);
 
 		*err = 400;
 
 		return 0;
 
 	} else {