At first I thought there must be code to guarantee
that a URI (resource->uri) has length > 0, but since I found
similar guards against precisely that case, e.g.,
modules/dav/fs/repos.c-822
char *uri = ap_make_dirstr_parent(ctx->pool, resource->uri);
if (strlen(uri) > 1 && uri[strlen(uri) - 1] == '/')
uri[strlen(uri) - 1] = '\0';
modules/mappers/mod_dir.c-231
/* Redirect requests that are not '/' terminated */
if (r->uri[0] == '\0' || r->uri[strlen(r->uri) - 1] != '/')
modules/metadata/mod_cern_meta.c:293
if (r->finfo.filetype == APR_DIR || r->uri[strlen(r->uri) - 1] == '/') {
[ As I was looking through these other examples, I see that
a zero-length r->uri could cause trouble here, too, since
the above is *not* guarded. ]
it seems best to guard the use below, too:
>From 5609908643d8456c6f56197102161e56d87e56c4 Mon Sep 17 00:00:00 2001
From: Jim Meyering <[email protected]>
Date: Thu, 7 Jun 2012 20:36:16 +0200
Subject: [PATCH] don't access(r/w) uri[-1] when validating resource w/empty
uri string
* modules/dav/main/util.c (dav_validate_resource_state):
Handle a zero-length URI string.
---
modules/dav/main/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index d076cc4..adddded 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -984,11 +984,11 @@ static dav_error * dav_validate_resource_state(apr_pool_t
*p,
** URIs, but the majority of URIs provided to us via a resource walk
** will not contain that trailing slash.
*/
uri = resource->uri;
uri_len = strlen(uri);
- if (uri[uri_len - 1] == '/') {
+ if (uri_len > 1 && uri[uri_len - 1] == '/') {
dav_set_bufsize(p, pbuf, uri_len);
memcpy(pbuf->buf, uri, uri_len);
pbuf->buf[--uri_len] = '\0';
uri = pbuf->buf;
}
--
1.7.11.1.116.g8228a23
