Changes with Apache 2.0.48
+ *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred if
+ one configured a regular expression with more than 9 captures.
+ [André Malo]
+
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]
/** The size of the server's internal read-write buffers */
#define AP_IOBUFSIZE 8192
+/** The max number of regex captures that can be expanded by ap_pregsub */
+#define AP_MAX_REG_MATCH 10
+
/**
* APR_HAS_LARGE_FILES introduces the problem of spliting sendfile into
* mutiple buckets, no greater than MAX(apr_size_t), and more granular
int doesc, int *status)
{
alias_entry *entries = (alias_entry *) aliases->elts;
- regmatch_t regm[10];
+ regmatch_t regm[AP_MAX_REG_MATCH];
char *found = NULL;
int i;
int l;
if (p->regexp) {
- if (!ap_regexec(p->regexp, r->uri, p->regexp->re_nsub + 1, regm,
- 0)) {
+ if (!ap_regexec(p->regexp, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
if (p->real) {
found = ap_pregsub(r->pool, p->real, r->uri,
- p->regexp->re_nsub + 1, regm);
+ AP_MAX_REG_MATCH, regm);
if (found && doesc) {
apr_uri_t uri;
apr_uri_parse(r->pool, found, &uri);
const char *vary;
char newuri[MAX_STRING_LEN];
regex_t *regexp;
- regmatch_t regmatch[MAX_NMATCH];
+ regmatch_t regmatch[AP_MAX_REG_MATCH];
backrefinfo *briRR = NULL;
backrefinfo *briRC = NULL;
int prefixstrip;
rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'",
perdir, p->pattern, uri);
}
- rc = (ap_regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0);
+ rc = (ap_regexec(regexp, uri, AP_MAX_REG_MATCH, regmatch, 0) == 0);
if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) ||
(!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) {
return 0;
char input[MAX_STRING_LEN];
apr_finfo_t sb;
request_rec *rsub;
- regmatch_t regmatch[MAX_NMATCH];
+ regmatch_t regmatch[AP_MAX_REG_MATCH];
int rc;
/*
}
else {
/* it is really a regexp pattern, so apply it */
- rc = (ap_regexec(p->regexp, input,
- p->regexp->re_nsub+1, regmatch,0) == 0);
+ rc = (ap_regexec(p->regexp, input, AP_MAX_REG_MATCH, regmatch,0) == 0);
/* if it isn't a negated pattern and really matched
we update the passed-through regex subst info structure */
bri = briRC;
}
/* see ap_pregsub() in src/main/util.c */
- if (bri && n <= bri->nsub
+ if (bri && n < AP_MAX_REG_MATCH
&& bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) {
span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so;
if (span > space) {
/*** max cookie size in rfc 2109 ***/
#define MAX_COOKIE_LEN 4096
-#define MAX_NMATCH 10
-
/* default maximum number of internal redirects */
#define REWRITE_REDIRECT_LIMIT 10
typedef struct backrefinfo {
char *source;
int nsub;
- regmatch_t regmatch[10];
+ regmatch_t regmatch[AP_MAX_REG_MATCH];
} backrefinfo;
} state;
} proxy_dir_ctx_t;
+/* fallback regex for ls -s1; ($0..$2) == 3 */
+#define LS_REG_PATTERN "^ *([0-9]+) +([^ ]+)$"
+#define LS_REG_MATCH 3
+
apr_status_t ap_proxy_send_dir_filter(ap_filter_t *f, apr_bucket_brigade *in)
{
request_rec *r = f->r;
int eos = 0;
regex_t *re = NULL;
- regmatch_t re_result[3];
+ regmatch_t re_result[LS_REG_MATCH];
/* Compile the output format of "ls -s1" as a fallback for non-unix ftp listings */
- re = ap_pregcomp(p, "^ *([0-9]+) +([^ ]+)$", REG_EXTENDED);
+ re = ap_pregcomp(p, LS_REG_PATTERN, REG_EXTENDED);
/* get a complete line */
/* if the buffer overruns - throw data away */
}
}
/* Try a fallback for listings in the format of "ls -s1" */
- else if (0 == ap_regexec(re, ctx->buffer, 3, re_result, 0)) {
+ else if (0 == ap_regexec(re, ctx->buffer, LS_REG_MATCH, re_result, 0)) {
filename = apr_pstrndup(p, &ctx->buffer[re_result[2].rm_so], re_result[2].rm_eo - re_result[2].rm_so);
projects / thirdparty / apache / httpd.git / commitdiff
