Only read "active" values from the key_files array. PR 56306.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1585918 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6d63e906a17f280cc9602a9213dfd8d66cc9c8ba..a6079bff91f794ea2be16b307c097d8990127c2d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
+     (and logging garbled file names). PR 56306. [Kaspar Brand]
+
   *) mod_proxy_fcgi: Fix sending of response without some HTTP headers
      that might be set by filters.  [Jim Riggs <jim riggs.me>]
 

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index ab5fa5e51a3e1efff20834e68d9c1a99cc93b3a5..cbc4a7433d0e75ca9c25450ccd8e67f50c500a0a 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -914,9 +914,11 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         }
 
         /* and second, the private key */
-        keyfile = APR_ARRAY_IDX(mctx->pks->key_files, i, const char *);
-        if (keyfile == NULL)
+        if (i < mctx->pks->key_files->nelts) {
+            keyfile = APR_ARRAY_IDX(mctx->pks->key_files, i, const char *);
+        } else {
             keyfile = certfile;
+        }
 
         ERR_clear_error();