Refuse headers with a leading dot in OVERVIEW.FMT

Header field names beginning with a dot can no longer be added in the extraoverviewadvertised and extraoverviewhidden parameters of inn.conf so as to fix problems of searches and dot-stuffing (in LIST OVERVIEW.FMT responses). This is not (yet) supported in INN, and as this use case does not happen in real life, do not bother supporting it. see #286
InterNetNews · Dec 9, 2023 · 720a6f9 · 720a6f9
1 parent b9101a7
commit 720a6f9
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/lib/innconf.c b/lib/innconf.c
@@ -567,6 +567,33 @@ innconf_validate(struct config_group *group)
         }
     }
 
+    /* Do not accept header field names beginning with a dot (extra complexity
+     * not handled in the code for correctly dot-stuffing them). */
+    if (innconf->extraoverviewadvertised->strings != NULL) {
+        for (i = 0; i < innconf->extraoverviewadvertised->count; i++) {
+            if (innconf->extraoverviewadvertised->strings[i] != NULL
+                && (*innconf->extraoverviewadvertised->strings[i] == '.')) {
+                config_error_param(group, "extraoverviewadvertised",
+                                   "Header field names beginning with a dot "
+                                   "not allowed in overview data");
+                okay = false;
+                break;
+            }
+        }
+    }
+    if (innconf->extraoverviewhidden->strings != NULL) {
+        for (i = 0; i < innconf->extraoverviewhidden->count; i++) {
+            if (innconf->extraoverviewhidden->strings[i] != NULL
+                && (*innconf->extraoverviewhidden->strings[i] == '.')) {
+                config_error_param(group, "extraoverviewhidden",
+                                   "Header field names beginning with a dot "
+                                   "not allowed in overview data");
+                okay = false;
+                break;
+            }
+        }
+    }
+
     return okay;
 }