From: Joe Orton <jorton@apache.org>
Date: Wed, 3 Jun 2026 15:53:50 +0000 (+0000)
Subject: * modules/ldap/util_ldap.c (uldap_connection_find): Fix inheritance in
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=354a94ee7fd4bd34bfe3e776e3b32d3344f435c7;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ldap/util_ldap.c (uldap_connection_find): Fix inheritance in
  per-dir context.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1934932 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index 1cfa10eee4..00f9f91361 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -927,8 +927,23 @@ static util_ldap_connection_t *
          */
         l->secure = secureflag;
 
-        /* save away a copy of the client cert list that is presently valid */
-        l->client_certs = apr_array_copy_hdr(l->pool, dc->client_certs);
+        /* Deep-copy the client cert list into the connection pool so that
+         * the cached connection does not retain pointers into the
+         * (potentially short-lived) per-directory config pool.
+         */
+        l->client_certs = apr_array_copy(l->pool, dc->client_certs);
+        if (!apr_is_empty_array(l->client_certs)) {
+            int i;
+            apr_ldap_opt_tls_cert_t *certs;
+
+            certs = (apr_ldap_opt_tls_cert_t *)l->client_certs->elts;
+            for (i = 0; i < l->client_certs->nelts; i++) {
+                if (certs[i].path)
+                    certs[i].path = apr_pstrdup(l->pool, certs[i].path);
+                if (certs[i].password)
+                    certs[i].password = apr_pstrdup(l->pool, certs[i].password);
+            }
+        }
 
         /* whether or not to keep this connection in the pool when it's returned */
         l->keep = (st->connection_pool_ttl == 0) ? 0 : 1;