Make nextparam work with non-NUL-terminated data

At least on POST.

1 files changed, 18 insertions, 19 deletions

diff --git a/ctl.c b/ctl.c
index e4b25a7..712b31a 100644
--- a/ctl.c
+++ b/ctl.c
@@ -37,12 +37,9 @@ newpost()
 void
 newuser()
 {
-	char *confirm, *hlite, *msg, *name, *full, *p, *pass, *v;
+	char *confirm, *hlite, msg[128], *name, *full, *p, *pass, *v;
 	char title[] = "New User";
 	
-	if(!(msg = malloc(128)))
-		err(1, "malloc");
-	
 	*msg = 0;
 	confirm = hlite = name = full = pass = NULL;
 	
@@ -52,7 +49,15 @@ newuser()
 		return;
 	}
 	
-	while(p = nextparam(POST, MAXUSERPARAM)){
+	if(query.length > MAXUSERDATA){
+		snprintf(msg, 128, "Input exceeded server limitations");
+		printf("Status: 431 Request Header Fields Too Large\n");
+		printf("Content-Type: text/html\n\n");
+		#include "t/newuser.tc"
+		return;
+	}
+	
+	while(p = nextparam(POST, NULL, MAXUSERDATA)){
 		if(!(v = split(p))) continue;
 		
 		if(!confirm && strcmp(p, "confirm") == 0)
@@ -65,20 +70,6 @@ newuser()
 		 	pass = strdup(v);
 		else
 			continue;
-		
-		if(TRUNCATED(p)){
-			hlite = strdup(p);
-			snprintf(msg, 128,
-			    "Input length exceeds server limitations");
-			goto err;
-		}
-	}
-	
-	/* Ensure all required fields are there. */
-	if(!name || !*name || !pass || !*pass){
-		hlite = (!name || !*name)? strdup("name"): strdup("pass");
-		snprintf(msg, 128, "Required field missing");
-		goto err;
 	}
 	
 	/* Decode URL-encoded fields. */
@@ -103,6 +94,13 @@ newuser()
 		goto err;
 	}
 	
+	/* Ensure all required fields are there. */
+	if(!name || !*name || !pass || !*pass){
+		hlite = (!name || !*name)? strdup("name"): strdup("pass");
+		snprintf(msg, 128, "Required field missing");
+		goto err;
+	}
+	
 	if(pass && confirm && strcmp(pass, confirm) != 0){
 		snprintf(msg, 128, "Passwords do not match");
 		goto err;
@@ -112,6 +110,7 @@ newuser()
 	printf("You are valid\n");
 	return;
 err:
+	printf("Status: 400 Bad Request\n");
 	printf("Content-Type: text/html\n\n");
 	#include "t/newuser.tc"
 	return;