arrfab / rpms / httpd

Forked from rpms/httpd 5 years ago
Clone

Blame SOURCES/httpd-2.4.6-CVE-2014-0098.patch

706609
--- a/modules/loggers/mod_log_config.c	2013/11/15 17:07:52	1542329
706609
+++ b/modules/loggers/mod_log_config.c	2014/03/10 11:23:47	1575904
706609
@@ -543,14 +543,24 @@
706609
 
706609
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
706609
             char *name = apr_strtok(cookie, "=", &last2);
706609
-            if (name) {
706609
-                char *value = name + strlen(name) + 1;
706609
-                apr_collapse_spaces(name, name);
706609
+            /* last2 points to the next char following an '=' delim,
706609
+               or the trailing NUL char of the string */
706609
+            char *value = last2;
706609
+            if (name && *name &&  value && *value) {
706609
+                char *last = value - 2;
706609
+                /* Move past leading WS */
706609
+                name += strspn(name, " \t");
706609
+                while (last >= name && apr_isspace(*last)) {
706609
+                    *last = '\0';
706609
+                    --last;
706609
+                }
706609
 
706609
                 if (!strcasecmp(name, a)) {
706609
-                    char *last;
706609
-                    value += strspn(value, " \t");  /* Move past leading WS */
706609
-                    last = value + strlen(value) - 1;
706609
+                    /* last1 points to the next char following the ';' delim,
706609
+                       or the trailing NUL char of the string */
706609
+                    last = last1 - (*last1 ? 2 : 1);
706609
+                    /* Move past leading WS */
706609
+                    value += strspn(value, " \t");
706609
                     while (last >= value && apr_isspace(*last)) {
706609
                        *last = '\0';
706609
                        --last;
706609
@@ -559,6 +569,7 @@
706609
                     return ap_escape_logitem(r->pool, value);
706609
                 }
706609
             }
706609
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
706609
             cookies = NULL;
706609
         }
706609
     }