[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62855] New: Segfault in mod_include + printenv + ErrorDocument


            Bug ID: 62855
           Summary: Segfault in mod_include + printenv + ErrorDocument
           Product: Apache httpd-2
           Version: 2.4.35
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_include
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: ewald@xxxxxxxxxxx
  Target Milestone: ---

Created attachment 36214
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36214&action=edit
Handle NULL environment values in mod_include.c, handle_printenv()

I configured mod_include for a location that serves local ErrorDocuments, like

ErrorDocument 400 /error/error.shtml
<Location "/error">
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes

The error.shtml document uses the printenv directive and looks like this:

<!DOCTYPE html>
      <!--#printenv -->

Now I send an invalid request that leads to a "400 Bad Request" response:

echo "INVALID" | socket hostname 80

Apache segfaults in mod_include.c, handle_printenv() because the for loop in
there assumes that every environment key also has a value. But in this scenario
that's not the case for REDIRECT_REQUEST_METHOD, as there is no original
REQUEST_METHOD. So the key REDIRECT_REQUEST_METHOD exists in r->subprocess_env,
but its value is NULL.

I fixed this with the attached patch mod_include_printenv.patch by setting
missing values to "ctx->intern->undefined_echo". This is what handle_echo() is
doing, so I hope this makes sense. Or is simply skipping keys with missing
values the better solution?

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx