altarch-user / rpms / httpd

Forked from rpms/httpd 2 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2014-0098.patch

008793
--- a/modules/loggers/mod_log_config.c	2013/11/15 17:07:52	1542329
008793
+++ b/modules/loggers/mod_log_config.c	2014/03/10 11:23:47	1575904
008793
@@ -543,14 +543,24 @@
008793
 
008793
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
008793
             char *name = apr_strtok(cookie, "=", &last2);
008793
-            if (name) {
008793
-                char *value = name + strlen(name) + 1;
008793
-                apr_collapse_spaces(name, name);
008793
+            /* last2 points to the next char following an '=' delim,
008793
+               or the trailing NUL char of the string */
008793
+            char *value = last2;
008793
+            if (name && *name &&  value && *value) {
008793
+                char *last = value - 2;
008793
+                /* Move past leading WS */
008793
+                name += strspn(name, " \t");
008793
+                while (last >= name && apr_isspace(*last)) {
008793
+                    *last = '\0';
008793
+                    --last;
008793
+                }
008793
 
008793
                 if (!strcasecmp(name, a)) {
008793
-                    char *last;
008793
-                    value += strspn(value, " \t");  /* Move past leading WS */
008793
-                    last = value + strlen(value) - 1;
008793
+                    /* last1 points to the next char following the ';' delim,
008793
+                       or the trailing NUL char of the string */
008793
+                    last = last1 - (*last1 ? 2 : 1);
008793
+                    /* Move past leading WS */
008793
+                    value += strspn(value, " \t");
008793
                     while (last >= value && apr_isspace(*last)) {
008793
                        *last = '\0';
008793
                        --last;
008793
@@ -559,6 +569,7 @@
008793
                     return ap_escape_logitem(r->pool, value);
008793
                 }
008793
             }
008793
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
008793
             cookies = NULL;
008793
         }
008793
     }