From 42ad93d1f6e7dbca2264c2cf62db3b8c79a5120b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EA=A6=8C=EA=A6=AB=EA=A6=B6=EA=A6=8F=EA=A7=80=EA=A6=A6?= =?UTF-8?q?=EA=A6=BF=EA=A6=A7=EA=A6=AE=EA=A6=91=EA=A6=A9=EA=A6=AD=EA=A7=80?= Date: Mon, 15 May 2023 10:43:46 +0800 Subject: POST copies contents so quantity doesn't leak --- ord.c | 4 ++-- request.c | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ord.c b/ord.c index 06d1798..4964931 100644 --- a/ord.c +++ b/ord.c @@ -15,7 +15,7 @@ void interchange_ord_order(const char *sku, const char *item, do { length++; } while ((qty /= 10)); - char qty_str[length + 1]; + char *qty_str = malloc(length + 1); sprintf(qty_str, "%d", quantity); request(parser, NULL, &(struct body){ 4, { { "mv_action", "refresh" }, @@ -34,7 +34,7 @@ void interchange_ord_update(const char *name, const unsigned int quantity, do { length++; } while ((qty /= 10)); - char qty_str[length + 1]; + char *qty_str = malloc(length + 1); sprintf(qty_str, "%d", quantity); request(parser, NULL, &(struct body){ 4 + (nextpage ? 1 : 0), { { "mv_quantity_update", "1" }, diff --git a/request.c b/request.c index 32e46f0..2ab8fc4 100644 --- a/request.c +++ b/request.c @@ -134,6 +134,8 @@ void request(void (*handler)(interchange_response *), void (*callback)(void *), if (i) strcat(post, "&"); sprintf(post, "%s%s=%s", post, pair.key, pair.value); + if (!strncmp(pair.key, "quantity", 8)) + free(pair.value); } strcpy(attr.requestMethod, "POST"); static const char *headers[] = { "Content-Type", @@ -173,7 +175,11 @@ void request(void (*handler)(interchange_response *), void (*callback)(void *), struct pair pair = body->pairs[i]; if (!pair.value) continue; - curl_formadd(&post, &last, CURLFORM_COPYNAME, pair.key, CURLFORM_PTRCONTENTS, pair.value, CURLFORM_END); + curl_formadd(&post, &last, CURLFORM_COPYNAME, pair.key, + CURLFORM_COPYCONTENTS, pair.value, + CURLFORM_END); + if (!strncmp(pair.key, "quantity", 8)) + free(pair.value); } last = NULL; curl_easy_setopt(curl, CURLOPT_HTTPPOST, post); -- cgit v1.2.3