[master] 802884c97 vre: Enforce VRE options with masks
Nils Goroll
nils.goroll at uplex.de
Thu Jun 10 13:45:06 UTC 2021
commit 802884c97601a5e52a9ec5fff37a40f906fc175e
Author: Dridi Boukelmoune <dridi.boukelmoune at gmail.com>
Date: Tue May 18 15:44:37 2021 +0200
vre: Enforce VRE options with masks
The two options can't be mixed together and we should ensure that only
the options we decided to support can be passed along, preventing bit
smuggling.
For a full PCRE spectrum, VMODs can directly use a PCRE library through
its API.
diff --git a/lib/libvarnish/vre.c b/lib/libvarnish/vre.c
index 409c27d96..60254aa4b 100644
--- a/lib/libvarnish/vre.c
+++ b/lib/libvarnish/vre.c
@@ -70,6 +70,14 @@ struct vre {
const unsigned VRE_CASELESS = PCRE_CASELESS;
const unsigned VRE_NOTEMPTY = PCRE_NOTEMPTY;
+/*
+ * Even though we only have one for each case so far, keep track of masks
+ * to differentiate between compile and exec options and enfore the hard
+ * VRE linkage.
+ */
+#define VRE_MASK_COMPILE PCRE_CASELESS
+#define VRE_MASK_EXEC PCRE_NOTEMPTY
+
vre_t *
VRE_compile(const char *pattern, unsigned options,
const char **errptr, int *erroffset)
@@ -82,6 +90,7 @@ VRE_compile(const char *pattern, unsigned options,
*errptr = "Out of memory for VRE";
return (NULL);
}
+ AZ(options & (~VRE_MASK_COMPILE));
v->re = pcre_compile(pattern, options, errptr, erroffset, NULL);
if (v->re == NULL) {
VRE_free(&v);
@@ -129,6 +138,7 @@ VRE_exec(const vre_t *code, const char *subject, int length,
code->re_extra->flags &= ~PCRE_EXTRA_MATCH_LIMIT_RECURSION;
}
+ AZ(options & (~VRE_MASK_EXEC));
return (pcre_exec(code->re, code->re_extra, subject, length,
startoffset, options, ovector, ovecsize));
}
More information about the varnish-commit
mailing list