From: dgaudet <dgaudet@unknown>
Date: Fri, 21 Sep 2001 03:51:54 +0000 (+0000)
Subject: ErrorDocument 404 pointing to a parsed html file with a
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07dfc4f69ca47e12d0686de214ec21b88f3361d5;p=thirdparty%2Fapache%2Fhttpd.git

ErrorDocument 404 pointing to a parsed html file with a
<!--#include virtual="file" --> with a request URI containing
%2f would result in a segfault (NULL pointer deref, not a
security problem).

PR:		8362


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@91097 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index b0a461c12e5..55739373481 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.21
 
+  *) ErrorDocument 404 pointing to a parsed html file with a
+     <!--#include virtual="file" --> with a request URI containing
+     %2f would result in a segfault (NULL pointer deref, not a
+     security problem).  [Jeff Moe <tux@themoes.org>, Dean Gaudet] PR#8362
+
   *) UnsetEnv from main body of httpd.conf file didn't work; backport
      of bugfix from 2.0 codebase. [Gary Benson <gbenson@redhat.com>] PR#8254
 
diff --git a/src/include/httpd.h b/src/include/httpd.h
index 48f5a6bb044..b6bcb0567f5 100644
--- a/src/include/httpd.h
+++ b/src/include/httpd.h
@@ -806,7 +806,7 @@ struct request_rec {
 
     char *unparsed_uri;		/* the uri without any parsing performed */
     char *uri;			/* the path portion of the URI */
-    char *filename;
+    char *filename;		/* filename if found, otherwise NULL */
     char *path_info;
     char *args;			/* QUERY_ARGS, if any */
     struct stat finfo;		/* ST_MODE set to zero if no such file */
diff --git a/src/modules/standard/mod_include.c b/src/modules/standard/mod_include.c
index e09d572333a..83dd08f6d72 100644
--- a/src/modules/standard/mod_include.c
+++ b/src/modules/standard/mod_include.c
@@ -718,7 +718,7 @@ static int handle_include(FILE *in, request_rec *r, const char *error, int noexe
                 for (p = r; p != NULL && !founddupe; p = p->main) {
 		    request_rec *q;
 		    for (q = p; q != NULL; q = q->prev) {
-			if ( (strcmp(q->filename, rr->filename) == 0) ||
+			if ( (q->filename && strcmp(q->filename, rr->filename) == 0) ||
 			     (strcmp(q->uri, rr->uri) == 0) ){
 			    founddupe = 1;
 			    break;