Skip to content

Commit

Permalink
http_server: api: v1: backport fix for CVE-2024-4323
Browse files Browse the repository at this point in the history
* api/v1/traces: validate inputs when enabling traces.

validate the array of inputs when enabling multiple traces that
they are strings.

this patch also refactors out the allocation of said input name.

* api/v1/traces: disable traces api when tracing is disabled.

* api/v1/trace: use macros for strings and lengths in responses.

avoid strlen when creating http response, especially in loops,
by predefining them via macros.

* api/v1/trace: use sizeof for string length macros.

* api/v1/trace: use signed lenghts for strings.

this avoid potential integer overflows when using them as
specifiers for format strings.

* api/v1/traces: use macro for inputs string.

* api/v1/traces: use sizeof when comparing against base path.

* api/v1/traces: replace strlen with flb_sds_len when using flb_sds_t.

---------

Signed-off-by: Phillip Adair Stewart Whelan <[email protected]>
Signed-off-by: Phillip Whelan <[email protected]>
Co-authored-by: Phillip Whelan <[email protected]>
  • Loading branch information
edsiper and pwhelan committed May 21, 2024
1 parent 89a343b commit be238e1
Showing 1 changed file with 135 additions and 84 deletions.
Loading

0 comments on commit be238e1

Please sign in to comment.