Aric Stewart wrote:

Index: dlls/wininet/http.c

RCS file: /home/wine/wine/dlls/wininet/http.c,v retrieving revision 1.113 diff -u -r1.113 http.c --- dlls/wininet/http.c 22 Nov 2005 14:53:30 -0000 1.113 +++ dlls/wininet/http.c 22 Nov 2005 15:35:24 -0000 @@ -629,6 +634,26 @@

/* We appear to do nothing with the buffer.. is that correct? */

• if(!(lpwhr->hdr.dwFlags & INTERNET_FLAG_NO_AUTO_REDIRECT))
• {

•    DWORD dwCode,dwCodeLength=sizeof(DWORD),dwIndex=0;
  

•    if(HTTP_HttpQueryInfoW(lpwhr,HTTP_QUERY_FLAG_NUMBER|HTTP_QUERY_STATUS_CODE,&dwCode,&dwCodeLength,&dwIndex) &&
  

•        (dwCode==302 || dwCode==301))
  

•    {
  

•        WCHAR szNewLocation[2048];
  

•        DWORD dwBufferSize=2048;
  

•        dwIndex=0;
  

•        if(HTTP_HttpQueryInfoW(lpwhr,HTTP_QUERY_LOCATION,szNewLocation,&dwBufferSize,&dwIndex))
  

•        {
  

•            static const WCHAR szGET[] = { 'G','E','T', 0 };
  

•            /* redirects are always GETs */
  

•            HeapFree(GetProcessHeap(),0,lpwhr->lpszVerb);
  

•            lpwhr->lpszVerb = WININET_strdupW(szGET);
  

•            return HTTP_HandleRedirect(lpwhr, szNewLocation, NULL, 0, NULL, 0);
  

•        }
  

•    }
  

• }
• TRACE("%i <--\n",rc); return rc;

}

This proves that HttpSendRequestEx and HttpSendRequest need to share more code.

@@ -1849,13 +1885,26 @@ #endif

    HeapFree(GetProcessHeap(), 0, lpwhs->lpszServerName);

•    lpwhs->lpszServerName = WININET_strdupW(hostName);
  

•    if (urlComponents.nPort != INTERNET_DEFAULT_HTTP_PORT &&
  

•            urlComponents.nPort != INTERNET_DEFAULT_HTTPS_PORT)
  

•    {
  

•        int len;
  

•        static WCHAR fmt[] = {'%','s',':','%','i',0};
  

•        len = lstrlenW(hostName);
  

•        len+=6;
  

•        lpwhs->lpszServerName = HeapAlloc(GetProcessHeap(),0,len*sizeof(WCHAR));
  
  
  

I submitted a patch to unbreak the Host header for proxies that means you should be changing lpwhs->lpszHostName now.

•        sprintfW(lpwhs->lpszServerName,fmt,hostName,urlComponents.nPort);
  

•    }
  

•    else
  

•        lpwhs->lpszServerName = WININET_strdupW(hostName);
  

•    HTTP_ProcessHeader(lpwhr, g_szHost, lpwhs->lpszServerName, HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE | HTTP_ADDHDR_FLAG_REQ);
  

And you should be sending lpwhs->lpszHostName.

@@ -1868,6 +1917,9 @@ return FALSE; }

•    if (lstrlenW(extra)>0)
  

•        StrCatW(path,extra);
  
  

Why are you using a shlwapi string function? What's wrong with strcatW or lstrcatW?

Also, this could easily cause a buffer overflow by a server sending a redirect with a large query. You need to check that there is enough space before blinding copying into the buffer.

- Rob Shearman