cvs commit: apache-1.2/src CHANGES mod_include.c

26 May 1998 00:55:33 -0000 

dgaudet     98/05/25 17:55:30

  Modified:    src      CHANGES mod_include.c
  Log:
  $ followed by non alnum should expand to $... I broke this in 1.2.5
  security stuff.
  
  PR:             1921, 2249
  
  Revision  Changes    Path
  1.312     +4 -0      apache-1.2/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.2/src/CHANGES,v
  retrieving revision 1.311
  retrieving revision 1.312
  diff -u -r1.311 -r1.312
  --- CHANGES   1998/05/25 18:07:31     1.311
  +++ CHANGES   1998/05/26 00:55:28     1.312
  @@ -1,5 +1,9 @@
   Changes with Apache 1.2.7
   
  +  *) A zero-length name after a $ in an SSI document should cause
  +     just the $ to be in the expansion.  This was broken during the
  +     security fixes in 1.2.5.  [Dean Gaudet] PR#1921, 2249
  +
     *) Call ap_destroy_sub_req() in ap_add_cgi_vars() to reclaim some
        memory.  [Rob Saccoccio <[EMAIL PROTECTED]>] PR#2252
   
  
  
  
  1.41      +17 -11    apache-1.2/src/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.2/src/mod_include.c,v
  retrieving revision 1.40
  retrieving revision 1.41
  diff -u -r1.40 -r1.41
  --- mod_include.c     1998/04/13 11:45:45     1.40
  +++ mod_include.c     1998/05/26 00:55:29     1.41
  @@ -527,20 +527,26 @@
                /* what a pain, too bad there's no table_getn where you can
                 * pass a non-nul terminated string */
                l = end_of_var_name - start_of_var_name;
  -             l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  -             memcpy(var, start_of_var_name, l);
  -             var[l] = '\0';
  +             if (l != 0) {
  +                 l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l;
  +                 memcpy(var, start_of_var_name, l);
  +                 var[l] = '\0';
   
  -             val = table_get(r->subprocess_env, var);
  -             if (val) {
  -                 expansion = val;
  -                 l = strlen(expansion);
  +                 val = table_get(r->subprocess_env, var);
  +                 if (val) {
  +                     expansion = val;
  +                     l = strlen(expansion);
  +                 }
  +                 else if (leave_name) {
  +                     l = in - expansion;
  +                 }
  +                 else {
  +                     break;  /* no expansion to be done */
  +                 }
                }
  -             else if (leave_name) {
  -                 l = in - expansion;
  -             }
                else {
  -                 break;      /* no expansion to be done */
  +                 /* zero-length variable name causes just the $ to be copied 
*/
  +                 l = 1;
                }
                l = (l > end_out - next) ? (end_out - next) : l;
                memcpy(next, expansion, l);

Reply via email to