package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch - buildroot - Git at Google

 From 7f47efe1717c381f86566fabe0b1ced8cb98fe8f Mon Sep 17 00:00:00 2001
 From: irsl <irsl@users.noreply.github.com>
 Date: Fri, 26 Oct 2018 11:51:15 +0200
 Subject: [PATCH] fix for broken multipart/form-data

 Malformed multipart/form-data payload results in infinite loop and thus denial of service
 [Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
  libhttp/url.c | 3 +++
  1 file changed, 3 insertions(+)

 diff --git a/libhttp/url.c b/libhttp/url.c
 index ed29475..4177871 100644
 --- a/libhttp/url.c
 +++ b/libhttp/url.c
 @@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url,
                }
              }
            }
 +        } else {
 +           warn("[http] broken multipart/form-data!");
 +           break;
          }
        }
        if (lastPart) {
	From 7f47efe1717c381f86566fabe0b1ced8cb98fe8f Mon Sep 17 00:00:00 2001
	From: irsl <irsl@users.noreply.github.com>
	Date: Fri, 26 Oct 2018 11:51:15 +0200
	Subject: [PATCH] fix for broken multipart/form-data

	Malformed multipart/form-data payload results in infinite loop and thus denial of service
	[Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
	Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
	---
	libhttp/url.c \| 3 +++
	1 file changed, 3 insertions(+)

	diff --git a/libhttp/url.c b/libhttp/url.c
	index ed29475..4177871 100644
	--- a/libhttp/url.c
	+++ b/libhttp/url.c
	@@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url,
	}
	}
	}
	+ } else {
	+ warn("[http] broken multipart/form-data!");
	+ break;
	}
	}
	if (lastPart) {