general/1777: pregsub() in util.c fails to append remainder of string; causes ScriptAliasMatch to fail

6 Feb 1998 13:50:01 -0000 

>Number:         1777
>Category:       general
>Synopsis:       pregsub() in util.c fails to append remainder of string; 
>causes ScriptAliasMatch to fail
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Feb  6 05:50:00 PST 1998
>Last-Modified:
>Originator:     [EMAIL PROTECTED]
>Organization:
apache
>Release:        1.3b3
>Environment:
Linux i386 2.0.32, gcc 2.7.2
>Description:
With a rule like:

ScriptAliasMatch ^/(.*)/_vti_bin/ /web/user1/html/$1/_vti_bin/

and a URI input
/king/_vti_bin/shtml.exe

we expect a match and a translation to /web/user1/html/king/_vti_bin/shtml.exe

However the code returns /web/user1/html/king/_vti_bin/
and then server errors with trying to execute dir as a script

The problem is in util.c in pregsub, it fails to account for the
remaining portion of "source" which falls outside of the pattern matched.

>How-To-Repeat:
yes
>Fix:
I patched util.c, pregsub() however I'm now a bit worried some other code
depends on this errant behaviour.  Maybe I should have patched mod_alias 
instead.
Please send me your opinions... [EMAIL PROTECTED]  Patch below:

[EMAIL PROTECTED]:/d6/apache_1.3b3?diff -C 5 src/main/util.c.orig 
src/main/util.c
*** src/main/util.c.orig        Fri Feb  6 05:39:15 1998
--- src/main/util.c     Fri Feb  6 05:40:58 1998
***************
*** 263,272 ****
--- 263,274 ----
        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
            len += pmatch[no].rm_eo - pmatch[no].rm_so;
        }
  
      }
+     /* add in the remainder of the string (if any) */
+     len += strlen(source) - (pmatch[0].rm_eo);
  
      dest = dst = pcalloc(p, len + 1);
  
      /* Now actually fill in the string */
  
***************
*** 292,302 ****
            if (*(dst - 1) == '\0')     /* strncpy hit NULL. */
                return NULL;
        }
  
      }
!     *dst = '\0';
  
      return dest;
  }
  
  /*
--- 294,307 ----
            if (*(dst - 1) == '\0')     /* strncpy hit NULL. */
                return NULL;
        }
  
      }
!     /* now append the remaining characters */
!     src=source+pmatch[0].rm_eo;
!     while( (*dst++ = *src++));
!     /* *dst = '\0'; */
  
      return dest;
  }
  
  /*
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

Reply via email to