Fix memory corruption problem with ap_custom_response() function.

The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.

This is based on an old 1.3 patch submitted by Will Lowe.
It needs a minor tweak before committing to 1.3, but he had
it pretty darn close.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103120 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 6c147bdffd255c1b2c89b88fe0cde83381e91483..84775fda20ddf883f43630156111ded869b9e8e7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Fix memory corruption problem with ap_custom_response() function.
+     The core per-dir config would later point to request pool data
+     that would be reused for different purposes on different requests.
+     [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
+
   *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
      is set in r->subprocess_env allow mismatched query strings to pass.
      PR 27758.  [Paul Querna <chip force-elite.com>, Geoffrey Young]

diff --git a/include/http_core.h b/include/http_core.h
index 2d068764deb68f2495512e9c92c96bcc5750c257..de82ac5adfe70bc5089ae0e1e3cb5aa19fa7d14e 100644 (file)
--- a/include/http_core.h
+++ b/include/http_core.h
@@ -324,6 +324,13 @@ typedef struct {
      * won't actually be delivered as the response for the non-GET method.
      */
     int deliver_script;
+
+    /* Custom response strings registered via ap_custom_response(),
+     * or NULL; check per-dir config if nothing found here
+     */
+    char **response_code_strings; /* from ap_custom_response(), not from
+                                   * ErrorDocument
+                                   */
 } core_request_config;
 
 /* Standard entries that are guaranteed to be accessible via
@@ -426,7 +433,8 @@ typedef struct {
      * This lets us do quick merges in merge_core_dir_configs().
      */
   
-    char **response_code_strings;
+    char **response_code_strings; /* from ErrorDocument, not from
+                                   * ap_custom_response() */
 
     /* Hostname resolution etc */
 #define HOSTNAME_LOOKUP_OFF    0

diff --git a/server/core.c b/server/core.c
index b77a33b9d1b56cad6e264bb85427625ec75c10fd..9218ee0a7566a06d34e976421221c854a6701cb7 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -678,16 +678,26 @@ AP_DECLARE(int) ap_satisfies(request_rec *r)
 
 char *ap_response_code_string(request_rec *r, int error_index)
 {
-    core_dir_config *conf;
+    core_dir_config *dirconf;
+    core_request_config *reqconf;
 
-    conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
-                                                   &core_module);
+    /* check for string registered via ap_custom_response() first */
+    reqconf = (core_request_config *)ap_get_module_config(r->request_config,
+                                                          &core_module);
+    if (reqconf->response_code_strings != NULL &&
+        reqconf->response_code_strings[error_index] != NULL) {
+        return reqconf->response_code_strings[error_index];
+    }
 
-    if (conf->response_code_strings == NULL) {
-        return NULL;
+    /* check for string specified via ErrorDocument */
+    dirconf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+                                                      &core_module);
+
+    if (dirconf->response_code_strings == NULL) {
+       return NULL;
     }
 
-    return conf->response_code_strings[error_index];
+    return dirconf->response_code_strings[error_index];
 }
 
 
@@ -1100,11 +1110,11 @@ static const char *set_document_root(cmd_parms *cmd, void *dummy,
 AP_DECLARE(void) ap_custom_response(request_rec *r, int status,
                                     const char *string)
 {
-    core_dir_config *conf =
-        ap_get_module_config(r->per_dir_config, &core_module);
+    core_request_config *conf =
+        ap_get_module_config(r->request_config, &core_module);
     int idx;
 
-    if(conf->response_code_strings == NULL) {
+    if (conf->response_code_strings == NULL) {
         conf->response_code_strings =
             apr_pcalloc(r->pool,
                         sizeof(*conf->response_code_strings) * RESPONSE_CODES);