diff options
| author | Gérôme Fournier <jef@foutaise.org> | 2019-06-25 02:03:44 +0200 |
|---|---|---|
| committer | Andreas Rumpf <rumpf_a@web.de> | 2019-06-25 02:03:44 +0200 |
| commit | 181350f6c9d82ace49de531823ee289cad6e5c1c (patch) | |
| tree | 9a9fac78899cc605e486efdb6902c412c84f6456 /lib | |
| parent | 2a7cf71db3c75824be31cfc5b99f4996eb8976c3 (diff) | |
| download | Nim-181350f6c9d82ace49de531823ee289cad6e5c1c.tar.gz | |
Fix out of bound access in cgi module (#11578)
When an HTTP request with a zero CONTENT_LENGTH is made, attempting to access addr(result[0]) raise an exception as the 0 index is out of bound
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pure/cgi.nim | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/pure/cgi.nim b/lib/pure/cgi.nim index ec3562c35..4f8bbe3d0 100644 --- a/lib/pure/cgi.nim +++ b/lib/pure/cgi.nim @@ -77,6 +77,8 @@ proc getEncodedData(allowedMethods: set[RequestMethod]): string = if methodPost notin allowedMethods: cgiError("'REQUEST_METHOD' 'POST' is not supported") var L = parseInt(getEnv("CONTENT_LENGTH").string) + if L == 0: + return "" result = newString(L) if readBuffer(stdin, addr(result[0]), L) != L: cgiError("cannot read from stdin") |