When testing for slash-terminated configuration paths in

ap_location_walk(), don't look past the start of an empty string
such as that created by a <Location ""> directive.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@654998 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index af0a36e33ca568f2a1589646a1124d59b07f82c4..1411e50d467c6001a6f1fe87a7405f42b0181ff2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) core: When testing for slash-terminated configuration paths in
+     ap_location_walk(), don't look past the start of an empty string
+     such as that created by a <Location ""> directive.
+     [Chris Darroch]
+
   *) core, mod_proxy: If a kept_body is present, it becomes safe for
      subrequests to support message bodies. Make sure that safety
      checks within the core and within the proxy are not triggered

diff --git a/server/request.c b/server/request.c
index 5d4c9aa4b62b0989ba885dd78a0a7dc326abcec6..159d8a04afd2cd82018ea5ab3625ca198ff6886e 100644 (file)
--- a/server/request.c
+++ b/server/request.c
@@ -1315,7 +1315,8 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
                 : (entry_core->d_is_fnmatch
                    ? apr_fnmatch(entry_core->d, cache->cached, APR_FNM_PATHNAME)
                    : (strncmp(entry_core->d, cache->cached, len)
-                      || (entry_core->d[len - 1] != '/'
+                      || (len > 0
+                          && entry_core->d[len - 1] != '/'
                           && cache->cached[len] != '/'
                           && cache->cached[len] != '\0')))) {
                 continue;