b***@apache.org
2018-10-25 12:11:23 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=62855
Bug ID: 62855
Summary: Segfault in mod_include + printenv + ErrorDocument
Product: Apache httpd-2
Version: 2.4.35
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_include
Assignee: ***@httpd.apache.org
Reporter: ***@mailbox.org
Target Milestone: ---
Created attachment 36214
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36214&action=edit
Handle NULL environment values in mod_include.c, handle_printenv()
I configured mod_include for a location that serves local ErrorDocuments, like
this:
ErrorDocument 400 /error/error.shtml
<Location "/error">
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Location>
The error.shtml document uses the printenv directive and looks like this:
<!DOCTYPE html>
<html>
<head>
<title>Error</title>
</head>
<body>
<pre>
<!--#printenv -->
</pre>
</body>
</html>
Now I send an invalid request that leads to a "400 Bad Request" response:
echo "INVALID" | socket hostname 80
Apache segfaults in mod_include.c, handle_printenv() because the for loop in
there assumes that every environment key also has a value. But in this scenario
that's not the case for REDIRECT_REQUEST_METHOD, as there is no original
REQUEST_METHOD. So the key REDIRECT_REQUEST_METHOD exists in r->subprocess_env,
but its value is NULL.
I fixed this with the attached patch mod_include_printenv.patch by setting
missing values to "ctx->intern->undefined_echo". This is what handle_echo() is
doing, so I hope this makes sense. Or is simply skipping keys with missing
values the better solution?
Bug ID: 62855
Summary: Segfault in mod_include + printenv + ErrorDocument
Product: Apache httpd-2
Version: 2.4.35
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_include
Assignee: ***@httpd.apache.org
Reporter: ***@mailbox.org
Target Milestone: ---
Created attachment 36214
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36214&action=edit
Handle NULL environment values in mod_include.c, handle_printenv()
I configured mod_include for a location that serves local ErrorDocuments, like
this:
ErrorDocument 400 /error/error.shtml
<Location "/error">
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options +Includes
</Location>
The error.shtml document uses the printenv directive and looks like this:
<!DOCTYPE html>
<html>
<head>
<title>Error</title>
</head>
<body>
<pre>
<!--#printenv -->
</pre>
</body>
</html>
Now I send an invalid request that leads to a "400 Bad Request" response:
echo "INVALID" | socket hostname 80
Apache segfaults in mod_include.c, handle_printenv() because the for loop in
there assumes that every environment key also has a value. But in this scenario
that's not the case for REDIRECT_REQUEST_METHOD, as there is no original
REQUEST_METHOD. So the key REDIRECT_REQUEST_METHOD exists in r->subprocess_env,
but its value is NULL.
I fixed this with the attached patch mod_include_printenv.patch by setting
missing values to "ctx->intern->undefined_echo". This is what handle_echo() is
doing, so I hope this makes sense. Or is simply skipping keys with missing
values the better solution?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org