From: Stefan Fritsch <sf@apache.org>
Date: Wed, 4 Jan 2012 20:03:11 +0000 (+0000)
Subject: SECURITY: CVE-2012-0021 (cve.mitre.org)
X-Git-Tag: 2.2.22~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86d2098ca89d5aae76c593e62e2a9536ef927d64;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2012-0021 (cve.mitre.org)

Merge r1225380:

Fix segfault when logging nameless, valueless cookie

PR: 52256
Reviewed by: Stefan Fritsch, Greg Ames, Eric Covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227292 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f6e2ebbb292..6a1812ce820 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,9 @@ Changes with Apache 2.2.22
      is enabled, could allow local users to gain privileges via a .htaccess
      file. [Stefan Fritsch, Greg Ames]
 
+  *) mod_log_config: Fix segfault when logging nameless, valueless cookie.
+     PR 52256. [Stefan Fritsch]
+
   *) core: Fix segfault in ap_send_interim_response(). PR 52315.
      [Stefan Fritsch]
 
diff --git a/STATUS b/STATUS
index c8b1410971f..6341673288c 100644
--- a/STATUS
+++ b/STATUS
@@ -107,11 +107,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      and 2.4.x no longer support this version, see r1203491 and r1203495)
     +1: kbrand (non-binding), rjung, jorton
 
-  * mod_log_config: Fix segfault when logging Nameless, Valueless cookie. PR 52256
-      Trunk patch: http://svn.apache.org/viewvc?rev=1225380&view=rev
-      2.2.x patch: trunk patch works
-    +1: sf, gregames, covener
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
index 6a68336767d..9400f6a1776 100644
--- a/modules/loggers/mod_log_config.c
+++ b/modules/loggers/mod_log_config.c
@@ -524,19 +524,21 @@ static const char *log_cookie(request_rec *r, char *a)
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            char *value;
-            apr_collapse_spaces(name, name);
-
-            if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
-                char *last;
-                value += strspn(value, " \t");  /* Move past leading WS */
-                last = value + strlen(value) - 1;
-                while (last >= value && apr_isspace(*last)) {
-                   *last = '\0';
-                   --last;
+            if (name) {
+                char *value;
+                apr_collapse_spaces(name, name);
+
+                if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+                    char *last;
+                    value += strspn(value, " \t");  /* Move past leading WS */
+                    last = value + strlen(value) - 1;
+                    while (last >= value && apr_isspace(*last)) {
+                       *last = '\0';
+                       --last;
+                    }
+
+                    return ap_escape_logitem(r->pool, value);
                 }
-
-                return ap_escape_logitem(r->pool, value);
             }
             cookies = NULL;
         }