Fixed double-free in the digest authentication handling.

# Found and Reported by Stefan Esser

diff --git a/main/SAPI.c b/main/SAPI.c
index e6ce825375f9ed63157025ab6792463d19d30cc4..0b9405dab10ac5db006787a16dfae0aad776a657 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -455,7 +455,7 @@ SAPI_API void sapi_initialize_empty_request(TSRMLS_D)
 {
        SG(server_context) = NULL;
        SG(request_info).request_method = NULL;
-       SG(request_info).auth_user = SG(request_info).auth_password = NULL;
+       SG(request_info).auth_digest = SG(request_info).auth_user = SG(request_info).auth_password = NULL;
        SG(request_info).content_type_dup = NULL;
 }
 

diff --git a/main/main.c b/main/main.c
index ef336e03c029fc752e108086c935b68e0e23c8a4..6a792e8bffd8233d16a75e1eb1e80a77add168bd 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -1767,13 +1767,19 @@ PHPAPI int php_handle_auth_data(const char *auth TSRMLS_DC)
 
        if (ret == -1) {
                SG(request_info).auth_user = SG(request_info).auth_password = NULL;
+       } else {
+               SG(request_info).auth_digest = NULL;
        }
        
-       if (auth && auth[0] != '\0' && strncmp(auth, "Digest ", 7) == 0) {
+       if (ret == -1 && auth && auth[0] != '\0' && strncmp(auth, "Digest ", 7) == 0) {
                SG(request_info).auth_digest = estrdup(auth);
                ret = 0;
        }
 
+       if (ret == -1) {
+               SG(request_info).auth_digest = NULL;
+       }
+
        return ret;
 }
 /* }}} */