Fixed an infinite loop for references above the server root.

PR:	748
Submitted by:	Dean Gaudet
Reviewed by:	Brian Behlendorf

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3@78847 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/APACHE_1_2_X/src/CHANGES b/APACHE_1_2_X/src/CHANGES
index 41e377d4e0779a937aa487b01ef14c1588e01637..66f438959a8f71522cc6dc39add1947a6d736127 100644 (file)
--- a/APACHE_1_2_X/src/CHANGES
+++ b/APACHE_1_2_X/src/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 1.2.2
 
+  *) Fixed an infinite loop in mod_imap for references above the server root
+     [Dean Gaudet] PR#748
+
   *) mod_include cleanup showed that handle_else was being used to handle
      endif.  It didn't cause problems, but it was cleaned up too.
      [Howard Fear]

diff --git a/APACHE_1_2_X/src/modules/standard/mod_imap.c b/APACHE_1_2_X/src/modules/standard/mod_imap.c
index e65925b5a302df506df54f444bfb97291c54b4a6..11d7fe73829b3c4677516d9cad7ec4d19f27701e 100644 (file)
--- a/APACHE_1_2_X/src/modules/standard/mod_imap.c
+++ b/APACHE_1_2_X/src/modules/standard/mod_imap.c
@@ -475,6 +475,10 @@ void imap_url(request_rec *r, char *base, char *value, char *url)
          }
 
          value += 2;      /* jump over the '..' that we found in the value */
+      } else if (directory) {
+       url[0] = '\0';
+       log_reason("invalid directory name in map file", r->uri, r);
+       return;
       }
       
       if (! strncmp(value, "/../", 4) || ! strcmp(value, "/..") )