[mapserver-commits] [MapServer/MapServer] a0cdb5: cgiutil: fix handling of malformed percent-encoding

Even Rouault noreply at github.com
Tue May 26 07:28:32 PDT 2026 

  Branch: refs/heads/backport-7511-to-branch-8-6
  Home:   https://github.com/MapServer/MapServer
  Commit: a0cdb5061a8cd4d81a9ca387b09e62a4967e482e
      https://github.com/MapServer/MapServer/commit/a0cdb5061a8cd4d81a9ca387b09e62a4967e482e
  Author: Stefan Gloor <code at stefan-gloor.ch>
  Date:   2026-05-26 (Tue, 26 May 2026)

  Changed paths:
    M src/cgiutil.c
    M src/cgiutil.h

  Log Message:
  -----------
  cgiutil: fix handling of malformed percent-encoding

unescape_url() implicitly assumed that two hex digits
follow the percent sign without any checks.
This lead to an out-of-bounds read on malformed
percent-encoded URLs, such as "/?foo=bar%", and
undefined behavior if non-hex digits were supplied.

Fix this by verifying that two hex digits follow
the percent sign and only unescape it in this case.
In the malformed case, leave the percent-sign and
the following digits as-is.

Signed-off-by: Stefan Gloor <code at stefan-gloor.ch>


  Commit: 8a9c7b08ab399685420bcb51dfb088caad721b1e
      https://github.com/MapServer/MapServer/commit/8a9c7b08ab399685420bcb51dfb088caad721b1e
  Author: Even Rouault <even.rouault at spatialys.com>
  Date:   2026-05-26 (Tue, 26 May 2026)

  Changed paths:
    M src/cgiutil.c
    M src/cgiutil.h

  Log Message:
  -----------
  Apply suggestions from code review

Co-authored-by: Even Rouault <even.rouault at spatialys.com>


  Commit: e3e5b82d267cfb6ebdcb32dd5d2ee1419dd768f1
      https://github.com/MapServer/MapServer/commit/e3e5b82d267cfb6ebdcb32dd5d2ee1419dd768f1
  Author: Even Rouault <even.rouault at spatialys.com>
  Date:   2026-05-26 (Tue, 26 May 2026)

  Changed paths:
    M src/cgiutil.c

  Log Message:
  -----------
  Formatting fix


  Commit: 825989f802082db780821cbaffe3eda748e27f64
      https://github.com/MapServer/MapServer/commit/825989f802082db780821cbaffe3eda748e27f64
  Author: Even Rouault <even.rouault at spatialys.com>
  Date:   2026-05-26 (Tue, 26 May 2026)

  Changed paths:
    M src/cgiutil.c

  Log Message:
  -----------
  Apply suggestions from code review

Co-authored-by: Even Rouault <even.rouault at spatialys.com>


Compare: https://github.com/MapServer/MapServer/compare/a0cdb5061a8c%5E...825989f80208

To unsubscribe from these emails, change your notification settings at https://github.com/MapServer/MapServer/settings/notifications

More information about the MapServer-commits mailing list