cvs commit: apache-1.3/src/modules/standard mod_include.c

26 May 1998 00:54:11 -0000 

dgaudet     98/05/25 17:54:08

  Modified:    src      CHANGES
               src/modules/standard mod_include.c
  Log:
  $ followed by non alnum should expand to $... I broke this in 1.2.5
  security stuff.
  
  PR:           1921, 2249
  
  Revision  Changes    Path
  1.862     +4 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.861
  retrieving revision 1.862
  diff -u -r1.861 -r1.862
  --- CHANGES   1998/05/25 17:58:16     1.861
  +++ CHANGES   1998/05/26 00:54:06     1.862
  @@ -1,5 +1,9 @@
   Changes with Apache 1.3b8
   
  +  *) A zero-length name after a $ in an SSI document should cause
  +     just the $ to be in the expansion.  This was broken during the
  +     security fixes in 1.2.5.  [Dean Gaudet] PR#1921, 2249
  +
     *) Call ap_destroy_sub_req() in ap_add_cgi_vars() to reclaim some
        memory.  [Rob Saccoccio <[EMAIL PROTECTED]>] PR#2252
   
  
  
  
  1.92      +17 -11    apache-1.3/src/modules/standard/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
  retrieving revision 1.91
  retrieving revision 1.92
  diff -u -r1.91 -r1.92
  --- mod_include.c     1998/05/20 19:41:11     1.91
  +++ mod_include.c     1998/05/26 00:54:07     1.92
  @@ -532,20 +532,26 @@
                /* what a pain, too bad there's no table_getn where you can
                 * pass a non-nul terminated string */
                l = end_of_var_name - start_of_var_name;
  -             l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  -             memcpy(var, start_of_var_name, l);
  -             var[l] = '\0';
  +             if (l != 0) {
  +                 l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  +                 memcpy(var, start_of_var_name, l);
  +                 var[l] = '\0';
   
  -             val = ap_table_get(r->subprocess_env, var);
  -             if (val) {
  -                 expansion = val;
  -                 l = strlen(expansion);
  +                 val = ap_table_get(r->subprocess_env, var);
  +                 if (val) {
  +                     expansion = val;
  +                     l = strlen(expansion);
  +                 }
  +                 else if (leave_name) {
  +                     l = in - expansion;
  +                 }
  +                 else {
  +                     break;  /* no expansion to be done */
  +                 }
                }
  -             else if (leave_name) {
  -                 l = in - expansion;
  -             }
                else {
  -                 break;      /* no expansion to be done */
  +                 /* zero-length variable name causes just the $ to be copied 
*/
  +                 l = 1;
                }
                l = (l > end_out - next) ? (end_out - next) : l;
                memcpy(next, expansion, l);

Reply via email to