Fix a segfault in mod_include when the original request has no

[apache] / modules / filters / mod_include.c

diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c
index fa822d99853bfc76f162e1165901d68a40c86574..b65a50ba10d1c576b664610ebcdf4c55fc63d4f0 100644 (file)
--- a/modules/filters/mod_include.c
+++ b/modules/filters/mod_include.c
@@ -182,6 +182,8 @@ static apr_bucket *find_start_sequence(apr_bucket *dptr, include_ctx_t *ctx,
                 if (ctx->head_start_index > 0) {
                     ctx->head_start_index  = 0;
                     ctx->head_start_bucket = tmp_bkt;
+                    ctx->parse_pos = 0;
+                    ctx->state = PRE_HEAD;
                 }
 
                 return tmp_bkt;
@@ -270,6 +272,11 @@ static apr_bucket *find_end_sequence(apr_bucket *dptr, include_ctx_t *ctx, apr_b
         }
         while (c < buf + len) {
             if (ctx->bytes_parsed >= BYTE_COUNT_THRESHOLD) {
+                if (ctx->state == PARSE_DIRECTIVE) {
+                    /* gonna start over parsing the directive next time through */
+                    ctx->directive_length = 0;
+                    ctx->tag_length       = 0;
+                }
                 return dptr;
             }
 
@@ -593,8 +600,8 @@ static void ap_ssi_get_tag_and_value(include_ctx_t *ctx, char **tag,
         }
     }
     
-    *c++ = '\0'; /* Overwrites delimiter (term or WS) with NULL. */
-    ctx->curr_tag_pos = c;
+    *(c-shift_val) = '\0'; /* Overwrites delimiter (term or WS) with NULL. */
+    ctx->curr_tag_pos = ++c;
     if (dodecode) {
         decodehtml(*tag_val);
     }
@@ -825,8 +832,8 @@ static int handle_include(include_ctx_t *ctx, apr_bucket_brigade **bb, request_r
                     for (p = r; p != NULL && !founddupe; p = p->main) {
                    request_rec *q;
                    for (q = p; q != NULL; q = q->prev) {
-                       if ( (strcmp(q->filename, rr->filename) == 0) ||
-                            (strcmp(q->uri, rr->uri) == 0) ){
+                       if ((q->filename && rr->filename && (strcmp(q->filename, rr->filename) == 0)) ||
+                            (strcmp(q->uri, rr->uri) == 0)) {
                            founddupe = 1;
                            break;
                        }
@@ -2466,7 +2473,7 @@ static apr_status_t send_parsed_content(apr_bucket_brigade **bb,
                              (tmp_dptr != APR_BRIGADE_SENTINEL(*bb)));
                 }
 
-                return;
+                return APR_SUCCESS;
             }
 
             /* Can't destroy the tag buckets until I'm done processing
@@ -2609,6 +2616,7 @@ static apr_status_t send_parsed_content(apr_bucket_brigade **bb,
             ctx->bytes_parsed = 0;
         }
     }
+    return APR_SUCCESS;
 }
 
 /*****************************************************************
@@ -2679,7 +2687,7 @@ static apr_status_t includes_filter(ap_filter_t *f, apr_bucket_brigade *b)
     if (!(ap_allow_options(r) & OPT_INCLUDES)) {
         return ap_pass_brigade(f->next, b);
     }
-    r->allowed |= (1 << M_GET);
+    r->allowed |= (AP_METHOD_BIT << M_GET);
     if (r->method_number != M_GET) {
         return ap_pass_brigade(f->next, b);
     }