httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hyperreal.org
Subject cvs commit: apache-1.3/src/modules/standard mod_include.c
Date Tue, 26 May 1998 00:54:09 GMT
dgaudet     98/05/25 17:54:08

  Modified:    src      CHANGES
               src/modules/standard mod_include.c
  Log:
  $ followed by non alnum should expand to $... I broke this in 1.2.5
  security stuff.
  
  PR:		1921, 2249
  
  Revision  Changes    Path
  1.862     +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.861
  retrieving revision 1.862
  diff -u -r1.861 -r1.862
  --- CHANGES	1998/05/25 17:58:16	1.861
  +++ CHANGES	1998/05/26 00:54:06	1.862
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3b8
   
  +  *) A zero-length name after a $ in an SSI document should cause
  +     just the $ to be in the expansion.  This was broken during the
  +     security fixes in 1.2.5.  [Dean Gaudet] PR#1921, 2249
  +
     *) Call ap_destroy_sub_req() in ap_add_cgi_vars() to reclaim some
        memory.  [Rob Saccoccio <robs@InfiniteTechnology.com>] PR#2252
   
  
  
  
  1.92      +17 -11    apache-1.3/src/modules/standard/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- mod_include.c	1998/05/20 19:41:11	1.91
  +++ mod_include.c	1998/05/26 00:54:07	1.92
  @@ -532,20 +532,26 @@
   		/* what a pain, too bad there's no table_getn where you can
   		 * pass a non-nul terminated string */
   		l = end_of_var_name - start_of_var_name;
  -		l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  -		memcpy(var, start_of_var_name, l);
  -		var[l] = '\0';
  +		if (l != 0) {
  +		    l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  +		    memcpy(var, start_of_var_name, l);
  +		    var[l] = '\0';
   
  -		val = ap_table_get(r->subprocess_env, var);
  -		if (val) {
  -		    expansion = val;
  -		    l = strlen(expansion);
  +		    val = ap_table_get(r->subprocess_env, var);
  +		    if (val) {
  +			expansion = val;
  +			l = strlen(expansion);
  +		    }
  +		    else if (leave_name) {
  +			l = in - expansion;
  +		    }
  +		    else {
  +			break;	/* no expansion to be done */
  +		    }
   		}
  -		else if (leave_name) {
  -		    l = in - expansion;
  -		}
   		else {
  -		    break;	/* no expansion to be done */
  +		    /* zero-length variable name causes just the $ to be copied */
  +		    l = 1;
   		}
   		l = (l > end_out - next) ? (end_out - next) : l;
   		memcpy(next, expansion, l);
  
  
  

Mime
View raw message