summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoe Orton <jorton@apache.org>2020-06-24 09:32:36 +0200
committerJoe Orton <jorton@apache.org>2020-06-24 09:32:36 +0200
commit1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57 (patch)
tree32d98cb1cba4337bce06478113624ebc5671d34f
parent* modules/generators/mod_cgid.c (cgid_handler): Bail immediately with (diff)
downloadapache2-1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57.tar.xz
apache2-1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57.zip
* modules/generators/mod_cgid.c (get_req): Add basic sanity
checking for the structure received in the CGI daemon. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879136 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--modules/generators/mod_cgid.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index 3cde699215..699d7059f9 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -516,6 +516,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env,
return APR_SUCCESS;
}
+ /* Sanity check the structure received. */
+ if (req->env_count < 0 || req->uri_len == 0
+ || req->filename_len > APR_PATH_MAX || req->filename_len == 0
+ || req->argv0_len > APR_PATH_MAX || req->argv0_len == 0
+ || req->loglevel > APLOG_TRACE8) {
+ return APR_EINVAL;
+ }
+
/* handle module indexes and such */
rconf = (void **)ap_create_request_config(r->pool);