XCVMKit-OS/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch

From 7f47efe1717c381f86566fabe0b1ced8cb98fe8f Mon Sep 17 00:00:00 2001
From: irsl <irsl@users.noreply.github.com>
Date: Fri, 26 Oct 2018 11:51:15 +0200
Subject: [PATCH] fix for broken multipart/form-data

Malformed multipart/form-data payload results in infinite loop and thus denial of service
[Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 libhttp/url.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libhttp/url.c b/libhttp/url.c
index ed29475..4177871 100644
--- a/libhttp/url.c
+++ b/libhttp/url.c
@@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url,
               }
             }
           }
+        } else {
+           warn("[http] broken multipart/form-data!");
+           break;
         }
       }
       if (lastPart) {