Modified the `html_replace' function so that it returns the length of
the replacement string instead of the string itself. This is used to
easily check for overflows of the `new_size' variable in the first for
loop of the `evhttp_htmlescape' function, and thus potential out of
bounds writes in the second for loop (if an overflow occurs in
new_size, then new_size < old_size). Also check that new_size + 1
doesn't overflow in mm_malloc(new_size + 1).
Removed the `scratch_space' variable from the `evhttp_htmlescape'
function since it wasn't actually used; also removed the `buf'
variable from the `evhttp_htmlescape' function since it was only used
by `scratch_space'.
Patch in question:
- Fix the case when failed evhttp_make_request() leaved request in the queue.
- http://levent.git.sourceforge.net/git/gitweb.cgi?p=levent/libevent;a=commit;h=0d6622e
The above patch introduces a failing assertion in
evhttp_connection_fail(). This happens because the patch defers the
assignment of the outstanding request to the evcon->requests list,
while evhttp_connection_fail() assumes that the request lies in the
list.
One scenario in which this can happen is when the request list is
empty and a connection is made to an unreachable host. The assertion
will then fail after bufferevent_socket_connect() errors out (with
ENETUNREACH in my case).
This was a regression on 2.0.10-stable: clang was warning about
values that were unused (because event_debug wasn't using them unless
USE_DEBUG was defined). Found by Sebastian Hahn.
Imagine server side is buggy and miscalculates Content-Length: in the
reply. Data arriving in idle state shouldn't make us crash, instead we
can just reset the connection.
https://sourceforge.net/tracker/index.php?func=detail&aid=3078187&group_id=50884&atid=461324
The problem is that bufferevent_disable() doesn't disable EV_WRITE
when 'connecting' flag is set. However from evhttp_connection_reset()
we want to disable EV_WRITE for sure (we are closing the socket next).
So we add bufferevent_disable_hard(), which acts like
bufferevent_disable(), but resets 'connecting' flag before the call to
the actual handler.
TODO: bufferevent_disable_hard() shouldn't be public, remove it from
event2/bufferevent.h.
If the EVHTTP_URI_NONCONFORMANT flag is passed in (which it is when
parsing URIs we get over the wire), then we relax our checks a lot.
Specifically, we do nothing to check for correct characters in the
path, query, and fragment parts of such a URI.
We could do much more here: we could relax our hostname requirements,
deal with spaces differently/better, trap some errors but not others,
etc. But this should solve the worst user-agent compatibility issues
for now; the other issues can wait for a later release.
f700566c removed a line from evhttp_connection_stop_detectclose that
cleared the EVHTTP_CON_CLOSEDETECT flag. I think this was an
accident, and suspect that it may be the cause of bug 3069555.
evhttp needs to be mindful of all hostnames and addresses that clients
use to contact the main server and vhosts to know the difference between
proxy requests and non-proxy requests.
When we call evhttp_get_bodylen() [when transfer-encoding isn't set],
having req->ntoread == -1 means that we have no content-length. But a
request with no content-length has no body! We were treating the
absent content-length as meaning "read till closed", which only holds
for replies, not requests.
This patch also allows PATCH requests to have a body.
