From: William A. Rowe Jr Date: Wed, 26 Jun 2013 21:16:53 +0000 (+0000) Subject: mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with X-Git-Tag: 2.2.25~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=383133e2380785f4e93248555bbca9f8a7e69bfe;p=thirdparty%2Fapache%2Fhttpd.git mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. Backports: r1485668 Reviewed by: minfrin, trawick, wrowe Submitted by: Ben Reser git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1497101 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 698311a983b..a4764f7a362 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,11 @@ Changes with Apache 2.2.25 with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. [Keith Burdis , Joe Orton, Kaspar Brand] + *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with + the source href (sent as part of the request body as XML) pointing to a + URI that is not configured for DAV will trigger a segfault. [Ben Reser + ] + Changes with Apache 2.2.24 *) SECURITY: CVE-2012-3499 (cve.mitre.org) diff --git a/STATUS b/STATUS index 78d3181d28a..04d73276bc2 100644 --- a/STATUS +++ b/STATUS @@ -114,13 +114,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with - the source href (sent as part of the request body as XML) pointing to a - URI that is not configured for DAV will trigger a segfault. - trunk patch: http://svn.apache.org/r1485668 - 2.2.x patch: trunk works, modulo CHANGES - +1: minfrin, trawick, wrowe - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c index 90370c6cc32..cae1bfd173a 100644 --- a/modules/dav/main/mod_dav.c +++ b/modules/dav/main/mod_dav.c @@ -719,6 +719,12 @@ static dav_error *dav_get_resource(request_rec *r, int label_allowed, conf = ap_get_module_config(r->per_dir_config, &dav_module); /* assert: conf->provider != NULL */ + if (conf->provider == NULL) { + return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0, + apr_psprintf(r->pool, + "DAV not enabled for %s", + ap_escape_html(r->pool, r->uri))); + } /* resolve the resource */ err = (*conf->provider->repos->get_resource)(r, conf->dir, @@ -2650,11 +2656,6 @@ static int dav_method_copymove(request_rec *r, int is_move) "Destination URI had an error."); } - if (dav_get_provider(lookup.rnew) == NULL) { - return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED, - "DAV not enabled for Destination URI."); - } - /* Resolve destination resource */ err = dav_get_resource(lookup.rnew, 0 /* label_allowed */, 0 /* use_checked_in */, &resnew);