prevent near infinite subrequest recursion with mod_negotiation enabled.

This can happen if there is a partial match between a bad URI and a
file with a variant extention.

ap_sub_req_lookup_dirent has apparently been generating bogus subrequest
URIs for ages, but they used to be ignored.  Once we started calling
ap_process_request_internal for all subrequests, they started causing
problems.  Make it explicit that rnew->uri is to be ignored for this type
of subrequest.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91375 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/request.c b/server/request.c
index aa43ec504a0726717d56b3409554691914e657d2..1cdaaa257cacfc1ad35198ec8c14d344cd2685f1 100644 (file)
--- a/server/request.c
+++ b/server/request.c
@@ -1345,7 +1345,6 @@ AP_DECLARE(request_rec *) ap_sub_req_lookup_dirent(const apr_finfo_t *dirent,
     request_rec *rnew;
     int res;
     char *fdir;
-    char *udir;
 
     rnew = make_sub_request(r);
     fill_in_sub_req_vars(rnew, r, next_filter);
@@ -1363,15 +1362,12 @@ AP_DECLARE(request_rec *) ap_sub_req_lookup_dirent(const apr_finfo_t *dirent,
      * not even have to redo access checks.
      */
 
-    udir = ap_make_dirstr_parent(rnew->pool, r->uri);
-
     /* This is 100% safe, since dirent->name just came from the filesystem */
-    rnew->uri = ap_make_full_path(rnew->pool, udir, dirent->name);
     rnew->filename = ap_make_full_path(rnew->pool, fdir, dirent->name);
     if (r->canonical_filename == r->filename)
         rnew->canonical_filename = rnew->filename;
     
-    ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */
+    rnew->uri = apr_pstrdup(rnew->pool, "");
 
     /* Preserve the apr_stat results, and perhaps we also tag that
      * symlinks were tested and/or found for r->filename.