If a specially crafted request was sent, it is possible to crash mod_dav or
mod_cache, as they accessed a field that is set to NULL by the URI parser,
assuming that it always put in a valid string.
PR: 49246
Submitted by: Mark Drayton
Patch by: Jeff Trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@966349
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.16
+ *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+ mod_dav, mod_cache: Fix Handling of requests without a path segment.
+ PR: 49246 [Mark Drayton, Jeff Trawick]
+
*) SECURITY: CVE-2010-2068 (cve.mitre.org)
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung]
/** The URI without any parsing performed */
char *unparsed_uri;
- /** The path portion of the URI */
+ /** The path portion of the URI, or "/" if no path provided */
char *uri;
/** The filename on disk corresponding to this response */
char *filename;
* Check if we need to ignore session identifiers in the URL and do so
* if needed.
*/
- path = r->parsed_uri.path;
+ path = r->uri;
querystring = r->parsed_uri.query;
if (conf->ignore_session_id->nelts) {
int i;
*/
cache->key = apr_pstrdup(r->pool, *key);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
- "cache: Key for entity %s?%s is %s", r->parsed_uri.path,
+ "cache: Key for entity %s?%s is %s", r->uri,
r->parsed_uri.query, *key);
return APR_SUCCESS;
/* 2518 specifies this must be an absolute URI; just take the
* relative part for later comparison against r->uri */
- if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS) {
+ if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS
+ || !parsed_uri.path) {
return dav_new_error(r->pool, HTTP_BAD_REQUEST,
DAV_ERR_IF_TAGGED,
"Invalid URI in tagged If-header.");
projects / thirdparty / apache / httpd.git / commitdiff
