escape the cookie_name before pasting into the regexp.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103326 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 33 insertions, 1 deletions

diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
index d7bbb22479..9c00a9a1d0 100644
--- a/modules/metadata/mod_usertrack.c
+++ b/modules/metadata/mod_usertrack.c
@@ -160,12 +160,44 @@ static void set_and_comp_regexp(cookie_dir_rec *dcfg,
                                 apr_pool_t *p,
                                 const char *cookie_name)
 {
+    int danger_chars = 0;
+    const char *sp = cookie_name;
+
     /* The goal is to end up with this regexp,
      * ^cookie_name=([^;,]+)|[;,][ \t]+cookie_name=([^;,]+)
      * with cookie_name obviously substituted either
      * with the real cookie name set by the user in httpd.conf, or with the
      * default COOKIE_NAME. */
-    dcfg->regexp_string = apr_pstrcat(p, "^", cookie_name, "=([^;,]+)|[;,][ \t]*", cookie_name, "=([^;,]+)", NULL);
+
+    /* Anyway, we need to escape the cookie_name before pasting it
+     * into the regex
+     */
+    while (*sp) {
+        if (!apr_isalnum(*sp)) {
+            ++danger_chars;
+        }
+        ++sp;
+    }
+
+    if (danger_chars) {
+        char *cp;
+        cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */
+        sp = cookie_name;
+        cookie_name = cp;
+        while (*sp) {
+            if (!apr_isalnum(*sp)) {
+                *cp++ = '\\';
+            }
+            *cp++ = *sp++;
+        }
+        *cp = '\0';
+    }
+
+    dcfg->regexp_string = apr_pstrcat(p, "^",
+                                      cookie_name,
+                                      "=([^;,]+)|[;,][ \t]*",
+                                      cookie_name,
+                                      "=([^;,]+)", NULL);
 
     dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, REG_EXTENDED);
 }