Index: modules/session/mod_session.c
===================================================================
--- modules/session/mod_session.c (revision 678110)
+++ modules/session/mod_session.c (working copy)
@@ -364,7 +364,7 @@
if (!val || !*val) {
apr_table_unset(z->entries, key);
}
- if (!ap_unescape_all(key) && !ap_unescape_all(val)) {
+ else if (!ap_unescape_all(key) && !ap_unescape_all(val)) {
if (!strcmp(SESSION_EXPIRY, key)) {
z->expiry = (apr_time_t) apr_atoi64(val);
}
I was experimenting with mod_session a bit and ran into a segfault when
a cgi script sets a cookie with a null value (eg. "key="). Basically
mod_session tries to do a sanity check on the null value by passing it
to ap_unescape_all which is causing the segfault. But, if you look at
the code there's no need for it, the key was removed from the table
because of the null value and the sanity check is in preparation to add
it back to the table. The attached patch fixes mod_session, but perhaps
unescape_url (which ap_unescape_all calls) should verify that the value
passed to it isn't null. I'm not quite sure what it should return
though which is why I didn't bother touching it.
- [PATCH] mod_session.c David Shane Holden
- Re: [PATCH] mod_session.c Ruediger Pluem
