CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure.

If a specially crafted request was sent, it is possible to crash mod_dav, 
mod_cache or mod_session, as they accessed a field that is set to NULL
by the URI parser, assuming that it always put in a valid string.

PR: 49246
Submitted by: Mark Drayton
Patch by: Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@966348 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 2 insertions, 1 deletions

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 3af8ecb78e..7659b721da 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -625,7 +625,8 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
 
             /* 2518 specifies this must be an absolute URI; just take the
              * relative part for later comparison against r->uri */
-            if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS) {
+            if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS
+                || !parsed_uri.path) {
                 return dav_new_error(r->pool, HTTP_BAD_REQUEST,
                                      DAV_ERR_IF_TAGGED, rv,
                                      "Invalid URI in tagged If-header.");