From 982ab01c40a8fd31554142b85693329fef2a9313 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Gro=C3=9Fmann?= <mgrossmann@users.noreply.github.com>
Date: Sat, 11 Apr 2026 20:20:52 +0200
Subject: [PATCH 1/4] fix: add missing return value in parse_cookies()

parse_cookies() is declared as returning int but had no return
statement after free(buf), causing undefined behavior.

Fixes #8
---
 src/httpshen.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/httpshen.c b/src/httpshen.c
index 33fc9ac..2b8fd4b 100644
--- a/src/httpshen.c
+++ b/src/httpshen.c
@@ -44,6 +44,7 @@ parse_cookies(HTTPC *httpc, const UCHAR *in)
 	}
 	
 	free(buf);
+	return 0;
 }
 
 static int

From 2916bb9dcc34d42801429abd5a6f8e2f1a9251dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Gro=C3=9Fmann?= <mgrossmann@users.noreply.github.com>
Date: Sat, 11 Apr 2026 20:21:07 +0200
Subject: [PATCH 2/4] fix: prevent integer overflow in environment variable
 allocation

Use size_t instead of int for string length calculations in
httpnenv() to prevent integer overflow on long name+value pairs.
Add +2 for the two null terminators that were missing from the
allocation size. Reject combined lengths over 8192 bytes as a
sanity limit.

Fixes #7
---
 src/httpnenv.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/httpnenv.c b/src/httpnenv.c
index e5db879..fcc01b4 100644
--- a/src/httpnenv.c
+++ b/src/httpnenv.c
@@ -6,9 +6,14 @@
 extern HTTPV *
 httpnenv(const UCHAR *name, const UCHAR *value)
 {
-    int         namelen = strlen(name);
-    int         vallen  = value ? strlen(value) : 0;
-    HTTPV       *v      = calloc(1, sizeof(HTTPV)+namelen+vallen);
+    size_t      namelen = strlen(name);
+    size_t      vallen  = value ? strlen(value) : 0;
+    size_t      total   = sizeof(HTTPV) + namelen + vallen + 2;
+    HTTPV       *v;
+
+    if (namelen + vallen > 8192) return NULL; /* sanity limit */
+
+    v = calloc(1, total);
 
     if (v) {
         strcpy(v->eye, HTTPV_EYE);

From 4f5abeae9dfe6712edbf97734e36287fb3a18bf1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Gro=C3=9Fmann?= <mgrossmann@users.noreply.github.com>
Date: Sat, 11 Apr 2026 20:23:24 +0200
Subject: [PATCH 3/4] fix: replace strtok with reentrant parsing, use snprintf

strtok() uses internal static state that is not thread-safe.
Replace all strtok() calls with manual pointer-based tokenizers:
- httpshen.c: cookie parser
- httpdbug.c: debug options parser
- httpjes2.c: DSID and jobid list parsers
- httpfile.c: SSI directive and quoted value parsers

Also replace sprintf with snprintf for version string in
httppars.c to prevent potential buffer overflow.

Fixes #11
---
 src/httpdbug.c | 19 +++++++++++--------
 src/httpfile.c | 28 +++++++++++++++++++---------
 src/httpjes2.c | 12 ++++++++++--
 src/httppars.c |  2 +-
 src/httpshen.c | 12 +++++++++++-
 5 files changed, 52 insertions(+), 21 deletions(-)

diff --git a/src/httpdbug.c b/src/httpdbug.c
index 3d3c217..96bbac8 100644
--- a/src/httpdbug.c
+++ b/src/httpdbug.c
@@ -20,25 +20,28 @@ http_debug(HTTPC *httpc, const char *options)
 	
 	http_printf(httpc, "<!--\n");
 
-	for(opt = strtok(opts, ","), next = strtok(NULL,""); opt; 
-		opt = next ? strtok(next, ",") : NULL, next = strtok(NULL,"")) {
+	for (opt = opts; opt && *opt; ) {
+		/* skip leading commas */
+		while (*opt == ',') opt++;
+		if (!*opt) break;
+
+		/* find end of this option */
+		char *end = strchr(opt, ',');
+		if (end) *end++ = 0;
 
 		len = strlen(opt);
 
 		if (http_cmpn(opt, "cgi", len)==0) {
 			dump_cgi(httpd, httpc);
-			continue;
 		}
-	
-		if (http_cmpn(opt, "help", len)==0 || http_cmp(opt, "?")==0) {
+		else if (http_cmpn(opt, "help", len)==0 || http_cmp(opt, "?")==0) {
 			dump_help(httpd, httpc);
-			continue;
 		}
-		if (http_cmpn(opt, "vars", len)==0) {
+		else if (http_cmpn(opt, "vars", len)==0) {
 			dump_vars(httpd, httpc);
-			continue;
 		}
 
+		opt = end;
 	}
 
 	http_printf(httpc, "-->\n");
diff --git a/src/httpfile.c b/src/httpfile.c
index da4a1dd..0e59a37 100644
--- a/src/httpfile.c
+++ b/src/httpfile.c
@@ -283,11 +283,13 @@ ssi_process(HTTPC *httpc, char *ssi)
 	while (isspace(*p)) p++;	/* skip any white space */
 	if (!*p) goto invalid;
 
-	p = strtok(p, " ");			/* isolate the ssi request */
-	if (!p) goto invalid;
-	
-	next = strtok(NULL,"");		/* remember whatever follows the request */
-	if (!next) goto invalid;
+	/* isolate the ssi request (split at first space) */
+	next = p;
+	while (*next && *next != ' ') next++;
+	if (!*next) goto invalid;
+	*next++ = 0;
+	while (isspace(*next)) next++;
+	if (!*next) goto invalid;
 
 	if (http_cmp(p, "echo")==0) {
 		/* next *should* point to whatever follows "<!--#echo " */
@@ -381,8 +383,12 @@ ssi_echo(HTTPC *httpc, char *next)
 
 	while(isspace(*p)) p++;
 	
-	var = strtok(p, "\"\'");
-	if (!var) goto quit;
+	/* extract quoted value — skip opening quote */
+	if (*p == '"' || *p == '\'') p++;
+	var = p;
+	while (*p && *p != '"' && *p != '\'') p++;
+	*p = 0;
+	if (!*var) goto quit;
 	
 	while(isspace(*var)) var++;
 
@@ -505,8 +511,12 @@ ssi_include(HTTPC *httpc, char *next)
 
 	while(isspace(*p)) p++;
 	
-	path = strtok(p, "\"\'");
-	if (!path) goto bad;
+	/* extract quoted path — skip opening quote */
+	if (*p == '"' || *p == '\'') p++;
+	path = p;
+	while (*p && *p != '"' && *p != '\'') p++;
+	*p = 0;
+	if (!*path) goto bad;
 	
 	while(isspace(*path)) path++;
 
diff --git a/src/httpjes2.c b/src/httpjes2.c
index 7deb330..306ea99 100644
--- a/src/httpjes2.c
+++ b/src/httpjes2.c
@@ -492,11 +492,14 @@ do_print(HTTPD *httpd, HTTPC *httpc, const char *jobname, const char *jobid)
         buf = calloc(1, strlen(p)+1);
         if (buf) {
             strcpy(buf, p);
-            for(p=strtok(buf, " ,"); p; p = strtok(NULL, " ,")) {
+            for (p = buf; p && *p; ) {
+                while (*p == ' ' || *p == ',') p++;
+                if (!*p) break;
                 n = (unsigned) atoi(p);
                 if (n) {
                     array_add(&dsid, (void*)n);
                 }
+                while (*p && *p != ' ' && *p != ',') p++;
             }
         }
     }
@@ -770,8 +773,13 @@ do_cancel_ex(HTTPD *httpd, HTTPC *httpc, const char *verb, int purge, int all)
     buf = calloc(1, strlen(jobid)+1);
     if (buf) {
         strcpy(buf, jobid);
-        for(p=strtok(buf, ","); p; p = strtok(NULL, ",")) {
+        for (p = buf; p && *p; ) {
+            while (*p == ',') p++;
+            if (!*p) break;
+            UCHAR *end = strchr(p, ',');
+            if (end) *end++ = 0;
             array_add(&jobids, p);
+            p = end;
         }
     }
 
diff --git a/src/httppars.c b/src/httppars.c
index 6f44bfd..0fb2830 100644
--- a/src/httppars.c
+++ b/src/httppars.c
@@ -89,7 +89,7 @@ httppars(HTTPC *httpc)
 
     if (http_set_env(httpc, "SERVER_PROTOCOL", "HTTP/1.1")) goto failed;
     
-    sprintf(tmp, "HTTPD/%s", httpc->httpd->version);
+    snprintf(tmp, sizeof(tmp), "HTTPD/%s", httpc->httpd->version);
     if (http_set_env(httpc, "SERVER_SOFTWARE", tmp)) goto failed;
 
     /* select next state based on request method */
diff --git a/src/httpshen.c b/src/httpshen.c
index 2b8fd4b..a9f9e25 100644
--- a/src/httpshen.c
+++ b/src/httpshen.c
@@ -32,7 +32,16 @@ parse_cookies(HTTPC *httpc, const UCHAR *in)
 		return ENOMEM;
 	}
 	
-	for(name=strtok(buf, "; "); name; name=strtok(NULL, "; ")) {
+	for (name = buf; name && *name; ) {
+		/* skip leading delimiters */
+		while (*name == ';' || *name == ' ') name++;
+		if (!*name) break;
+
+		/* find end of this token */
+		UCHAR *end = name;
+		while (*end && *end != ';' && *end != ' ') end++;
+		if (*end) *end++ = 0;
+
 		value = strchr(name, '=');
 		if (value) {
 			*value++ = 0;
@@ -41,6 +50,7 @@ parse_cookies(HTTPC *httpc, const UCHAR *in)
 			value = "";
 		}
 		set_cookie(httpc, name, value);
+		name = end;
 	}
 	
 	free(buf);

From fcd93000c9f00c7bd34bbd756ba178e53ddd6206 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20Gro=C3=9Fmann?= <mgrossmann@users.noreply.github.com>
Date: Sat, 11 Apr 2026 20:24:01 +0200
Subject: [PATCH 4/4] fix: protect client array add with lock for thread safety

array_add(&httpd->httpc) in socket_thread was not synchronized
with array_del in httpclos (which already uses lock/unlock).
With keep-alive, connections live longer and concurrent access
to the client array is more likely. Add matching lock/unlock
around array_add.

Fixes #9
---
 src/httpd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/httpd.c b/src/httpd.c
index c8ca2e1..8111105 100644
--- a/src/httpd.c
+++ b/src/httpd.c
@@ -342,6 +342,12 @@ build_fd_set(fd_set *read, fd_set *write, fd_set *excp)
         memset(excp, 0, sizeof(fd_set));
     }
 
+    /* NOTE: httpd->httpc[] is read here without lock.
+     * This is safe because build_fd_set() runs in the same
+     * socket_thread as array_add(). array_del() in httpclos
+     * runs in worker threads but sets entries to NULL before
+     * removal, and we check for NULL below.
+     */
     for(n=0; n < count; n++) {
         httpc = httpd->httpc[n];
         if (!httpc) continue;           /* no client handle? */
@@ -550,7 +556,9 @@ socket_thread(void *arg1, void *arg2)
             }
             else {
                 /* add new client to array of clients */
+                lock(httpd, 0);
                 array_add(&httpd->httpc, httpc);
+                unlock(httpd, 0);
             }
         } /* if (FD_ISSET(httpd->listen, &read)) */