head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2004.11.01.15.29.00;	author dinoex;	state dead;
branches;
next	1.1;

1.1
date	2004.10.29.16.29.14;	author dinoex;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- update to 2.8.22-1.3.33
@
text
@diff -ur src/modules/standard/mod_include.c apache_1.3.33/src/modules/standard/mod_include.c
--- src/modules/standard/mod_include.c	Sat Feb 28 23:19:04 2004
+++ apache_1.3.33/src/modules/standard/mod_include.c	Mon Oct 25 17:44:04 2004
@@@@ -309,9 +309,10 @@@@
  * the tag value is html decoded if dodecode is non-zero
  */
 
-static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)
+static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int dodecode)
 {
     char *t = tag, *tag_val, c, term;
+    pool *p = r->pool;
 
     /* makes code below a little less cluttered */
     --tagbuf_len;
@@@@ -337,7 +338,7 @@@@
 
     /* find end of tag name */
     while (1) {
-        if (t - tag == tagbuf_len) {
+        if (t == tag + tagbuf_len) {
             *t = '\0';
             return NULL;
         }
@@@@ -371,16 +372,30 @@@@
     term = c;
     while (1) {
         GET_CHAR(in, c, NULL, p);
-        if (t - tag == tagbuf_len) {
+        if (t == tag + tagbuf_len) {
             *t = '\0';
+            ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+                          "mod_include: value length exceeds limit"
+                          " (%d) in %s", tagbuf_len, r->filename);
             return NULL;
         }
-/* Want to accept \" as a valid character within a string. */
+        /* Want to accept \" as a valid character within a string. */
         if (c == '\\') {
-            *(t++) = c;         /* Add backslash */
             GET_CHAR(in, c, NULL, p);
-            if (c == term) {    /* Only if */
-                *(--t) = c;     /* Replace backslash ONLY for terminator */
+            /* Insert backslash only if not escaping a terminator char */
+            if (c != term) {
+                *(t++) = '\\';
+                /*
+                 * check to make sure that adding in the backslash won't cause
+                 * an overflow, since we're now 1 character ahead.
+                 */
+                if (t == tag + tagbuf_len) {
+                    *t = '\0';
+                    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+                                  "mod_include: value length exceeds limit"
+                                  " (%d) in %s", tagbuf_len, r->filename);
+                    return NULL;
+                }
             }
         }
         else if (c == term) {
@@@@ -395,9 +410,10 @@@@
     return ap_pstrdup(p, tag_val);
 }
 
-static int get_directive(FILE *in, char *dest, size_t len, pool *p)
+static int get_directive(FILE *in, char *dest, size_t len, request_rec *r)
 {
     char *d = dest;
+    pool *p = r->pool;
     char c;
 
     /* make room for nul terminator */
@@@@ -413,6 +429,9 @@@@
     /* now get directive */
     while (1) {
 	if (d == len + dest) {
+            ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+                          "mod_include: directive length exceeds limit"
+                          " (%lu) in %s", (unsigned long)len+1, r->filename);
 	    return 1;
 	}
         *d++ = ap_tolower(c);
@@@@ -616,7 +635,7 @@@@
     char *tag_val;
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) {
@@@@ -839,7 +858,7 @@@@
     char parsed_string[MAX_STRING_LEN];
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         if (!strcmp(tag, "cmd")) {
@@@@ -890,7 +909,7 @@@@
     encode = E_ENTITY;
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         if (!strcmp(tag, "var")) {
@@@@ -952,7 +971,7 @@@@
         return DECLINED;
     }
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             break;
         }
         if (strnEQ(tag, "sub", 3)) {
@@@@ -985,7 +1004,7 @@@@
     table *env = r->subprocess_env;
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) {
             return 1;
         }
         if (!strcmp(tag, "errmsg")) {
@@@@ -1101,7 +1120,7 @@@@
     char parsed_string[MAX_STRING_LEN];
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         else if (!strcmp(tag, "done")) {
@@@@ -1141,7 +1160,7 @@@@
     char parsed_string[MAX_STRING_LEN];
 
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         else if (!strcmp(tag, "done")) {
@@@@ -1917,7 +1936,7 @@@@
 
     expr = NULL;
     while (1) {
-        tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0);
+        tag_val = get_tag(r, in, tag, sizeof(tag), 0);
         if (!tag_val || *tag == '\0') {
             return 1;
         }
@@@@ -1960,7 +1979,7 @@@@
 
     expr = NULL;
     while (1) {
-        tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0);
+        tag_val = get_tag(r, in, tag, sizeof(tag), 0);
         if (!tag_val || *tag == '\0') {
             return 1;
         }
@@@@ -2007,7 +2026,7 @@@@
 {
     char tag[MAX_STRING_LEN];
 
-    if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) {
+    if (!get_tag(r, in, tag, sizeof(tag), 1)) {
         return 1;
     }
     else if (!strcmp(tag, "done")) {
@@@@ -2035,7 +2054,7 @@@@
 {
     char tag[MAX_STRING_LEN];
 
-    if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) {
+    if (!get_tag(r, in, tag, sizeof(tag), 1)) {
         return 1;
     }
     else if (!strcmp(tag, "done")) {
@@@@ -2065,7 +2084,7 @@@@
 
     var = (char *) NULL;
     while (1) {
-        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+        if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
             return 1;
         }
         else if (!strcmp(tag, "done")) {
@@@@ -2102,7 +2121,7 @@@@
     table_entry *elts = (table_entry *) arr->elts;
     int i;
 
-    if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+    if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
         return 1;
     }
     else if (!strcmp(tag, "done")) {
@@@@ -2173,10 +2192,7 @@@@
 
     while (1) {
         if (!find_string(f, STARTING_SEQUENCE, r, printing)) {
-            if (get_directive(f, directive, sizeof(directive), r->pool)) {
-		ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
-			    "mod_include: error reading directive in %s",
-			    r->filename);
+            if (get_directive(f, directive, sizeof(directive), r)) {
 		ap_rputs(error, r);
                 return;
             }
diff -ur src/modules/standard/mod_rewrite.c apache_1.3.33/src/modules/standard/mod_rewrite.c
--- src/modules/standard/mod_rewrite.c	Wed Oct 13 20:44:25 2004
+++ apache_1.3.33/src/modules/standard/mod_rewrite.c	Wed Oct 27 16:23:04 2004
@@@@ -1116,7 +1116,7 @@@@
                                          r->path_info, NULL);
             }
             if (r->args != NULL &&
-                r->uri != r->unparsed_uri) {
+                r->uri == r->unparsed_uri) {
                 /* see proxy_http:proxy_http_canon() */
                 r->filename = ap_pstrcat(r->pool, r->filename,
                                          "?", r->args, NULL);
@


1.1
log
@- Security Patch
CAN-2004-0940
Obtained from:	apache-1.3.33
@
text
@@

