Bug 620220 – soup_uri_set_query_from_form segfaults when given hash containing a null value

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 620220 - soup_uri_set_query_from_form segfaults when given hash containing a null value


Summary:	soup_uri_set_query_from_form segfaults when given hash containing a null value


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	Misc
Version:	2.30.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-06-01 06:19 UTC by Arc Riley
Modified:	2010-11-09 17:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Fix parsing/generation of URI queries that aren't HTML forms (3.07 KB, patch) 2010-11-09 17:30 UTC, Dan Winship	committed	Details \| Review

Description Arc Riley 2010-06-01 06:19:03 UTC

def handleAnnounceRedirect(serv : Soup.Server, mesg : Soup.Message, path : string, query : GLib.HashTable?, client : Soup.ClientContext)
      var location = new Soup.URI("http://localhost/announce")
      if query is not null
        location.set_query_from_form(query)
      var redirect = location.to_string(true)
      mesg.set_status(KnownStatusCode.MOVED_PERMANENTLY)
      mesg.response_headers.append("Location", redirect)

When the above code is provided the following URL, it causes a segfault:
"http://localhost/announce.php?a"

+ Trace 222181

#0 ??
from /usr/lib/libsoup-2.4.so.1
#1 IA__g_hash_table_foreach
at /build/buildd/glib2.0-2.24.1/glib/ghash.c line 1325
#2 soup_form_encode_hash
from /usr/lib/libsoup-2.4.so.1
#3 soup_uri_set_query_from_form
from /usr/lib/libsoup-2.4.so.1


This does not happen when given "http://localhost/announce.php?a=".  While checking each value of a hash before passing it to soup_uri_set_query_from_form would solve this, it would be much cleaner (and proper) to test for null in soup_form_encode_hash's foreach callback.

Comment 1 Dan Winship 2010-11-09 17:30:36 UTC

The following fix has been pushed:
82b4522 Fix parsing/generation of URI queries that aren't HTML forms

Comment 2 Dan Winship 2010-11-09 17:30:41 UTC

Created attachment 174147 [details] [review]
Fix parsing/generation of URI queries that aren't HTML forms

soup_form_decode() used to accept strings that weren't "name=value"
pairs, but soup_form_encode_hash() would crash if you passed the
resulting GHashTable to it. Fix both sides: now soup_form_decode()
ignores non-"name=value" elements, and soup_form_encode_hash()
g_return_if_fail()s rather than crashing.

Also fix use of deprecated soup-form.h method names in soup-uri.c and
soup-server.c