Commit ec7129ae authored by Greg Ames's avatar Greg Ames
Browse files

prevent near infinite subrequest recursion with mod_negotiation enabled. 

This can happen if there is a partial match between a bad URI and a
file with a variant extention.

ap_sub_req_lookup_dirent has apparently been generating bogus subrequest
URIs for ages, but they used to be ignored.  Once we started calling
ap_process_request_internal for all subrequests, they started causing
problems.  Make it explicit that rnew->uri is to be ignored for this type
of subrequest.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91375 13f79535-47bb-0310-9956-ffa450edef68
parent 3a398e7e

server/request.c

+1 −5
Original line number Diff line number Diff line
@@ -1345,7 +1345,6 @@ AP_DECLARE(request_rec *) ap_sub_req_lookup_dirent(const apr_finfo_t *dirent, 
    request_rec *rnew;

    int res;

    char *fdir;

    char *udir;



    rnew = make_sub_request(r);

    fill_in_sub_req_vars(rnew, r, next_filter);
@@ -1363,15 +1362,12 @@ AP_DECLARE(request_rec *) ap_sub_req_lookup_dirent(const apr_finfo_t *dirent, 
     * not even have to redo access checks.

     */



    udir = ap_make_dirstr_parent(rnew->pool, r->uri);



    /* This is 100% safe, since dirent->name just came from the filesystem */

    rnew->uri = ap_make_full_path(rnew->pool, udir, dirent->name);

    rnew->filename = ap_make_full_path(rnew->pool, fdir, dirent->name);

    if (r->canonical_filename == r->filename)

        rnew->canonical_filename = rnew->filename;

    

    ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */

    rnew->uri = apr_pstrdup(rnew->pool, "");



    /* Preserve the apr_stat results, and perhaps we also tag that

     * symlinks were tested and/or found for r->filename.