dgaudet 98/05/25 17:55:30
Modified: src CHANGES mod_include.c Log: $ followed by non alnum should expand to $... I broke this in 1.2.5 security stuff. PR: 1921, 2249 Revision Changes Path 1.312 +4 -0 apache-1.2/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache-1.2/src/CHANGES,v retrieving revision 1.311 retrieving revision 1.312 diff -u -r1.311 -r1.312 --- CHANGES 1998/05/25 18:07:31 1.311 +++ CHANGES 1998/05/26 00:55:28 1.312 @@ -1,5 +1,9 @@ Changes with Apache 1.2.7 + *) A zero-length name after a $ in an SSI document should cause + just the $ to be in the expansion. This was broken during the + security fixes in 1.2.5. [Dean Gaudet] PR#1921, 2249 + *) Call ap_destroy_sub_req() in ap_add_cgi_vars() to reclaim some memory. [Rob Saccoccio <[EMAIL PROTECTED]>] PR#2252 1.41 +17 -11 apache-1.2/src/mod_include.c Index: mod_include.c =================================================================== RCS file: /export/home/cvs/apache-1.2/src/mod_include.c,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- mod_include.c 1998/04/13 11:45:45 1.40 +++ mod_include.c 1998/05/26 00:55:29 1.41 @@ -527,20 +527,26 @@ /* what a pain, too bad there's no table_getn where you can * pass a non-nul terminated string */ l = end_of_var_name - start_of_var_name; - l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l; - memcpy(var, start_of_var_name, l); - var[l] = '\0'; + if (l != 0) { + l = (l > sizeof(var) - 1) ? (sizeof(var) - 1) : l; + memcpy(var, start_of_var_name, l); + var[l] = '\0'; - val = table_get(r->subprocess_env, var); - if (val) { - expansion = val; - l = strlen(expansion); + val = table_get(r->subprocess_env, var); + if (val) { + expansion = val; + l = strlen(expansion); + } + else if (leave_name) { + l = in - expansion; + } + else { + break; /* no expansion to be done */ + } } - else if (leave_name) { - l = in - expansion; - } else { - break; /* no expansion to be done */ + /* zero-length variable name causes just the $ to be copied */ + l = 1; } l = (l > end_out - next) ? (end_out - next) : l; memcpy(next, expansion, l);