-
Bug
-
Resolution: Fixed
-
Major
-
VOMS C APIs, native clients and server v. 2.0.12-2
-
Security Level: Public (Visbile by non-authn users.)
-
None
The line
*currentout++ = hex2num(first) << 4 + hex2num(second);
does the wrong thing because the precedence of the operations implies
*currentout++ = hex2num(first) << (4 + hex2num(second));
and not the correct
*currentout++= (hex2num(first) << 4) + hex2num(second);
Alternatively | can be used instead of +
*currentout++= hex2num(first) << 4 | hex2num(second);
but parenthesis don't harm.
Luckily that piece of code is in fact never executed because canonicalize_string is called by http_get in such a way that it is applied only to the string /generate-ac, i.e. it is not applied to the whole path including parameters, which most likely contain url-escaped characters.