From 357cf76409d30341a2c4eedcf2568f0abd56e88d Mon Sep 17 00:00:00 2001
From: Roland Reichwein <mail@reichwein.it>
Date: Sat, 6 Jun 2020 15:13:39 +0200
Subject: More runtime error checking

---
 debian/changelog                  |  6 ++++++
 plugins/statistics/statistics.cpp |  6 +++++-
 plugins/weblog/weblog.cpp         |  9 ++++++++-
 response.cpp                      | 16 ++++++++++++++--
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 82579ef..5edf7b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+webserver (1.10) UNRELEASED; urgency=medium
+
+  * More runtime error checking
+
+ -- Roland Reichwein <rr@antcom.de>  Sat, 06 Jun 2020 15:12:35 +0200
+
 webserver (1.9) unstable; urgency=medium
 
   * Fix fcgi output size (content-length was 1 too big)
diff --git a/plugins/statistics/statistics.cpp b/plugins/statistics/statistics.cpp
index 3ebd301..b1778f7 100644
--- a/plugins/statistics/statistics.cpp
+++ b/plugins/statistics/statistics.cpp
@@ -44,7 +44,11 @@ namespace {
     return 0;
    }
 
-   result += stoull(elements[column]);
+   try {
+    result += stoull(elements[column]);
+   } catch(...) {
+    std::cerr << "Error: Stats value " << elements[column] << " malformed." << std::endl;
+   }
   }
 
   return result;
diff --git a/plugins/weblog/weblog.cpp b/plugins/weblog/weblog.cpp
index 1e1b6b2..a64ee1b 100644
--- a/plugins/weblog/weblog.cpp
+++ b/plugins/weblog/weblog.cpp
@@ -244,6 +244,9 @@ namespace {
                                size_t page)
  {
   try {
+   if (page > std::numeric_limits<int>::max())
+    throw std::runtime_error("Bad page index: "s + std::to_string(page));
+
    HtmlPage htmlPage{GetRequestParam, "<h1>"s + GetRequestParam("WEBLOG_NAME") + "</h1>"s};
 
    fs::path link{ GetRequestParam("plugin_path")};
@@ -422,7 +425,11 @@ std::string weblog_plugin::generate_page(
   size_t page {0};
   auto it {query.find("page")};
   if (it != query.end()) {
-   page = stoul(it->second);
+   try {
+    page = stoul(it->second);
+   } catch(...) {
+    // ignore: keep default 0
+   }
   }
 
   if (is_index_page(rel_target))
diff --git a/response.cpp b/response.cpp
index 4e66dd3..98abac4 100644
--- a/response.cpp
+++ b/response.cpp
@@ -224,7 +224,14 @@ std::unordered_map<std::string, std::function<void(const std::string&, response_
  { "location",            [](const std::string& value, response_type& res){res.set(http::field::location, value);} },// e.g. 301 Moved Permanently: new Location
  { "server",              [](const std::string& value, response_type& res){res.set(http::field::server, value);} }, // Server name/version string
  { "set_cookie",          [](const std::string& value, response_type& res){res.set(http::field::set_cookie, value);} },
- { "status",              [](const std::string& value, response_type& res){res.result(unsigned(stoul(value)));} }, // HTTP Status, e.g. "200" (OK)
+ { "status",              [](const std::string& value, response_type& res){
+                                                                           try {
+                                                                            res.result(unsigned(stoul(value)));
+                                                                           } catch (...) {
+                                                                            std::cerr << "Error: Bad status value: " << value << std::endl;
+                                                                            res.result(400);
+                                                                           }
+                                                                          } }, // HTTP Status, e.g. "200" (OK)
  { "www_authenticate",    [](const std::string& value, response_type& res){res.set(http::field::www_authenticate, value);} },
 };
 
@@ -242,7 +249,12 @@ void SetResponseHeader(const std::string& key, const std::string& value, respons
 response_type HttpStatus(std::string status, std::string message, response_type& res)
 {
  if (status != "200") { // already handled at res init
-  res.result(unsigned(stoul(status)));
+  try {
+   res.result(unsigned(stoul(status)));
+  } catch (...) {
+   std::cerr << "Error: HttpStatus: Bad status value: " << status << std::endl;
+   res.result(400);
+  }
   res.set(http::field::content_type, "text/html");
 
   res.body() = "<html><body><h1>"s + Server::VersionString + " Error</h1><p>"s + status + " "s + message + "</p></body></html>"s;
-- 
cgit v1.2.3