annotate framework/env/auth/openid/_curl.lua @ 142:a686ed2ce967
Protect json.import(...) against Lua stack overflows (or integer overflows) due to too many nested levels
 | author | jbe | 
 | date | Wed Jul 30 02:01:24 2014 +0200 (2014-07-30) | 
 | parents | a54cc7dcabf1 | 
 | children |  | 
 
 | rev | line source | 
| jbe/bsw@20 | 1 function auth.openid._curl(url, curl_options) | 
| jbe/bsw@20 | 2   -- NOTE: Don't accept URLs starting with file:// or other nasty protocols | 
| jbe/bsw@20 | 3   if not string.find(url, "^[Hh][Tt][Tt][Pp][Ss]?://") then | 
| jbe/bsw@20 | 4     return nil | 
| jbe/bsw@20 | 5   end | 
| jbe/bsw@20 | 6   local options = table.new(curl_options) | 
| jbe/bsw@20 | 7   options[#options+1] = "-i" | 
| jbe/bsw@20 | 8   options[#options+1] = url | 
| jbe@65 | 9   local stdout, errmsg, status = extos.pfilter(nil, "curl", table.unpack(options)) | 
| jbe/bsw@20 | 10   if not stdout then | 
| jbe/bsw@20 | 11     error("Error while executing curl: " .. errmsg) | 
| jbe/bsw@20 | 12   end | 
| jbe/bsw@20 | 13   if status ~= 0 then | 
| jbe/bsw@20 | 14     return nil | 
| jbe/bsw@20 | 15   end | 
| jbe/bsw@20 | 16   local status  = tonumber(string.match(stdout, "^[^ ]+ *([0-9]*)")) | 
| jbe/bsw@20 | 17   local headers = string.match(stdout, "(\r?\n.-\r?\n)\r?\n") | 
| jbe/bsw@20 | 18   local body    = string.match(stdout, "\r?\n\r?\n(.*)") | 
| jbe/bsw@20 | 19   return status, headers, body | 
| jbe/bsw@20 | 20 end |