diff options
author | Joe Orton <jorton@apache.org> | 2020-06-24 09:32:36 +0200 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2020-06-24 09:32:36 +0200 |
commit | 1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57 (patch) | |
tree | 32d98cb1cba4337bce06478113624ebc5671d34f | |
parent | * modules/generators/mod_cgid.c (cgid_handler): Bail immediately with (diff) | |
download | apache2-1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57.tar.xz apache2-1d851178756bbd674f9f2de6dd2e8bcdc5ee1b57.zip |
* modules/generators/mod_cgid.c (get_req): Add basic sanity
checking for the structure received in the CGI daemon.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879136 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | modules/generators/mod_cgid.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index 3cde699215..699d7059f9 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -516,6 +516,14 @@ static apr_status_t get_req(int fd, request_rec *r, char **argv0, char ***env, return APR_SUCCESS; } + /* Sanity check the structure received. */ + if (req->env_count < 0 || req->uri_len == 0 + || req->filename_len > APR_PATH_MAX || req->filename_len == 0 + || req->argv0_len > APR_PATH_MAX || req->argv0_len == 0 + || req->loglevel > APLOG_TRACE8) { + return APR_EINVAL; + } + /* handle module indexes and such */ rconf = (void **)ap_create_request_config(r->pool); |