1 /* Copyright 1999-2004 The Apache Software Foundation
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
26 /* A bunch of functions in util.c scan strings looking for certain characters.
27 * To make that more efficient we encode a lookup table.
29 #define T_ESCAPE_SHELL_CMD (0x01)
30 #define T_ESCAPE_PATH_SEGMENT (0x02)
31 #define T_OS_ESCAPE_PATH (0x04)
32 #define T_HTTP_TOKEN_STOP (0x08)
33 #define T_ESCAPE_LOGITEM (0x10)
34 #define T_ESCAPE_FORENSIC (0x20)
36 int main(int argc, char *argv[])
41 printf("/* this file is automatically generated by gen_test_char, "
43 "#define T_ESCAPE_SHELL_CMD (%u)\n"
44 "#define T_ESCAPE_PATH_SEGMENT (%u)\n"
45 "#define T_OS_ESCAPE_PATH (%u)\n"
46 "#define T_HTTP_TOKEN_STOP (%u)\n"
47 "#define T_ESCAPE_LOGITEM (%u)\n"
48 "#define T_ESCAPE_FORENSIC (%u)\n"
50 "static const unsigned char test_char_table[256] = {",
52 T_ESCAPE_PATH_SEGMENT,
58 for (c = 0; c < 256; ++c) {
63 /* escape_shell_cmd */
64 #if defined(WIN32) || defined(OS2)
65 /* Win32/OS2 have many of the same vulnerable characters
66 * as Unix sh, plus the carriage return and percent char.
67 * The proper escaping of these characters varies from unix
68 * since Win32/OS2 use carets or doubled-double quotes,
69 * and neither lf nor cr can be escaped. We escape unix
70 * specific as well, to assure that cross-compiled unix
71 * applications behave similiarly when invoked on win32/os2.
73 * Rem please keep in-sync with apr's list in win32/filesys.c
75 if (c && strchr("&;`'\"|*?~<>^()[]{}$\\\n\r%", c)) {
76 flags |= T_ESCAPE_SHELL_CMD;
79 if (c && strchr("&;`'\"|*?~<>^()[]{}$\\\n", c)) {
80 flags |= T_ESCAPE_SHELL_CMD;
84 if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:@&=~", c)) {
85 flags |= T_ESCAPE_PATH_SEGMENT;
88 if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:@&=/~", c)) {
89 flags |= T_OS_ESCAPE_PATH;
92 /* these are the "tspecials" from RFC2068 */
93 if (c && (apr_iscntrl(c) || strchr(" \t()<>@,;:\\/[]?={}", c))) {
94 flags |= T_HTTP_TOKEN_STOP;
97 /* For logging, escape all control characters,
98 * double quotes (because they delimit the request in the log file)
99 * backslashes (because we use backslash for escaping)
100 * and 8-bit chars with the high bit set
102 if (c && (!apr_isprint(c) || c == '"' || c == '\\' || apr_iscntrl(c))) {
103 flags |= T_ESCAPE_LOGITEM;
106 /* For forensic logging, escape all control characters, top bit set,
107 * :, | (used as delimiters) and % (used for escaping).
109 if (!apr_isprint(c) || c == ':' || c == '|' || c == '%'
110 || apr_iscntrl(c) || !c) {
111 flags |= T_ESCAPE_FORENSIC;
114 printf("%u%c", flags, (c < 255) ? ',' : ' ');