httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Meyering <...@meyering.net>
Subject [PATCH] don't access(r/w) uri[-1] when validating resource w/empty uri string
Date Thu, 05 Jul 2012 17:33:18 GMT
At first I thought there must be code to guarantee
that a URI (resource->uri) has length > 0, but since I found
similar guards against precisely that case, e.g.,

    modules/dav/fs/repos.c-822
        char *uri = ap_make_dirstr_parent(ctx->pool, resource->uri);
        if (strlen(uri) > 1 && uri[strlen(uri) - 1] == '/')
            uri[strlen(uri) - 1] = '\0';

    modules/mappers/mod_dir.c-231
        /* Redirect requests that are not '/' terminated */
        if (r->uri[0] == '\0' || r->uri[strlen(r->uri) - 1] != '/')

    modules/metadata/mod_cern_meta.c:293
        if (r->finfo.filetype == APR_DIR || r->uri[strlen(r->uri) - 1] == '/') {
        [ As I was looking through these other examples, I see that
          a zero-length r->uri could cause trouble here, too, since
          the above is *not* guarded. ]

it seems best to guard the use below, too:

>From 5609908643d8456c6f56197102161e56d87e56c4 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Thu, 7 Jun 2012 20:36:16 +0200
Subject: [PATCH] don't access(r/w) uri[-1] when validating resource w/empty
 uri string

* modules/dav/main/util.c (dav_validate_resource_state):
Handle a zero-length URI string.
---
 modules/dav/main/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index d076cc4..adddded 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -984,11 +984,11 @@ static dav_error * dav_validate_resource_state(apr_pool_t *p,
     ** URIs, but the majority of URIs provided to us via a resource walk
     ** will not contain that trailing slash.
     */
     uri = resource->uri;
     uri_len = strlen(uri);
-    if (uri[uri_len - 1] == '/') {
+    if (uri_len > 1 && uri[uri_len - 1] == '/') {
         dav_set_bufsize(p, pbuf, uri_len);
         memcpy(pbuf->buf, uri, uri_len);
         pbuf->buf[--uri_len] = '\0';
         uri = pbuf->buf;
     }
--
1.7.11.1.116.g8228a23

Mime
View raw message