osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62855] New: Segfault in mod_include + printenv + ErrorDocument


https://bz.apache.org/bugzilla/show_bug.cgi?id=62855

            Bug ID: 62855
           Summary: Segfault in mod_include + printenv + ErrorDocument
           Product: Apache httpd-2
           Version: 2.4.35
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_include
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: ewald@xxxxxxxxxxx
  Target Milestone: ---

Created attachment 36214
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36214&action=edit
Handle NULL environment values in mod_include.c, handle_printenv()

I configured mod_include for a location that serves local ErrorDocuments, like
this:

ErrorDocument 400 /error/error.shtml
<Location "/error">
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
</Location>

The error.shtml document uses the printenv directive and looks like this:

<!DOCTYPE html>
<html>
  <head>
    <title>Error</title>
  </head>
  <body>
    <pre>
      <!--#printenv -->
    </pre>
  </body>
</html>

Now I send an invalid request that leads to a "400 Bad Request" response:

echo "INVALID" | socket hostname 80

Apache segfaults in mod_include.c, handle_printenv() because the for loop in
there assumes that every environment key also has a value. But in this scenario
that's not the case for REDIRECT_REQUEST_METHOD, as there is no original
REQUEST_METHOD. So the key REDIRECT_REQUEST_METHOD exists in r->subprocess_env,
but its value is NULL.

I fixed this with the attached patch mod_include_printenv.patch by setting
missing values to "ctx->intern->undefined_echo". This is what handle_echo() is
doing, so I hope this makes sense. Or is simply skipping keys with missing
values the better solution?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx