[libsoup] hsts-db: use unsigned integers when writing to the database

From: Claudio Saavedra <csaavedra src gnome org>
To: commits-list gnome org
Cc:
Subject: [libsoup] hsts-db: use unsigned integers when writing to the database
Date: Thu, 6 Jun 2019 15:13:09 +0000 (UTC)

commit 5602fdc761cf1d72185fd9c228127544d863299f
Author: Claudio Saavedra <csaavedra igalia com>
Date:   Thu Jun 6 18:09:44 2019 +0300

    hsts-db: use unsigned integers when writing to the database
    
    Using %d for values that are actually unsigned causes problems,
    in particular with servers using a rather large max-age.
    
    Added a test that reproduces the issue.

 libsoup/soup-hsts-enforcer-db.c |  2 +-
 tests/hsts-db-test.c            | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
---
diff --git a/libsoup/soup-hsts-enforcer-db.c b/libsoup/soup-hsts-enforcer-db.c
index 6a14bbd8..e097454d 100644
--- a/libsoup/soup-hsts-enforcer-db.c
+++ b/libsoup/soup-hsts-enforcer-db.c
@@ -123,7 +123,7 @@ soup_hsts_enforcer_db_new (const char *filename)
 
 #define QUERY_ALL "SELECT id, host, max_age, expiry, include_subdomains FROM soup_hsts_policies;"
 #define CREATE_TABLE "CREATE TABLE soup_hsts_policies (id INTEGER PRIMARY KEY, host TEXT UNIQUE, max_age 
INTEGER, expiry INTEGER, include_subdomains INTEGER)"
-#define QUERY_INSERT "INSERT OR REPLACE INTO soup_hsts_policies VALUES((SELECT id FROM soup_hsts_policies 
WHERE host=%Q), %Q, %d, %d, %d);"
+#define QUERY_INSERT "INSERT OR REPLACE INTO soup_hsts_policies VALUES((SELECT id FROM soup_hsts_policies 
WHERE host=%Q), %Q, %u, %u, %u);"
 #define QUERY_DELETE "DELETE FROM soup_hsts_policies WHERE host=%Q;"
 
 enum {
diff --git a/tests/hsts-db-test.c b/tests/hsts-db-test.c
index 9ae37e65..cee5dd32 100644
--- a/tests/hsts-db-test.c
+++ b/tests/hsts-db-test.c
@@ -47,6 +47,11 @@ server_callback  (SoupServer *server, SoupMessage *msg,
                                                     "Strict-Transport-Security",
                                                     "max-age=31536000; includeSubDomains");
                }
+                else if (strcmp (path, "/very-long-lasting") == 0) {
+                       soup_message_headers_append (msg->response_headers,
+                                                    "Strict-Transport-Security",
+                                                    "max-age=631138519");
+               }
        }
 }
 
@@ -139,6 +144,21 @@ do_hsts_db_subdomains_test (void)
        g_remove (DB_FILE);
 }
 
+static void
+do_hsts_db_large_max_age_test (void)
+{
+       SoupSession *session = hsts_db_session_new ();
+       session_get_uri (session, "https://localhost/very-long-lasting";, SOUP_STATUS_OK);
+       session_get_uri (session, "http://localhost";, SOUP_STATUS_OK);
+       soup_test_session_abort_unref (session);
+
+       session = hsts_db_session_new ();
+       session_get_uri (session, "http://localhost";, SOUP_STATUS_OK);
+       soup_test_session_abort_unref (session);
+
+       g_remove (DB_FILE);
+}
+
 int
 main (int argc, char **argv)
 {
@@ -160,6 +180,7 @@ main (int argc, char **argv)
 
        g_test_add_func ("/hsts-db/basic", do_hsts_db_persistency_test);
        g_test_add_func ("/hsts-db/subdomains", do_hsts_db_subdomains_test);
+       g_test_add_func ("/hsts-db/large-max-age", do_hsts_db_large_max_age_test);
 
        ret = g_test_run ();

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]