From: André Malo <nd@apache.org>
Date: Sat, 10 Apr 2004 13:17:15 +0000 (+0000)
Subject: escape the cookie_name before pasting into the regexp.
X-Git-Tag: pre_ajp_proxy~395
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ae295b155554496e235c3310f23909917bd54318;p=apache

escape the cookie_name before pasting into the regexp.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103326 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index f536888251..42d0c23a86 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_usertrack: Escape the cookie name before pasting into the
+     regexp.  [André Malo]
+
   *) Enable special ErrorDocument value 'default' which restores the
      canned server response for the scope of the directive.
      [Geoffrey Young]
diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
index d7bbb22479..9c00a9a1d0 100644
--- a/modules/metadata/mod_usertrack.c
+++ b/modules/metadata/mod_usertrack.c
@@ -160,12 +160,44 @@ static void set_and_comp_regexp(cookie_dir_rec *dcfg,
                                 apr_pool_t *p,
                                 const char *cookie_name)
 {
+    int danger_chars = 0;
+    const char *sp = cookie_name;
+
     /* The goal is to end up with this regexp,
      * ^cookie_name=([^;,]+)|[;,][ \t]+cookie_name=([^;,]+)
      * with cookie_name obviously substituted either
      * with the real cookie name set by the user in httpd.conf, or with the
      * default COOKIE_NAME. */
-    dcfg->regexp_string = apr_pstrcat(p, "^", cookie_name, "=([^;,]+)|[;,][ \t]*", cookie_name, "=([^;,]+)", NULL);
+
+    /* Anyway, we need to escape the cookie_name before pasting it
+     * into the regex
+     */
+    while (*sp) {
+        if (!apr_isalnum(*sp)) {
+            ++danger_chars;
+        }
+        ++sp;
+    }
+
+    if (danger_chars) {
+        char *cp;
+        cp = apr_palloc(p, sp - cookie_name + danger_chars + 1); /* 1 == \0 */
+        sp = cookie_name;
+        cookie_name = cp;
+        while (*sp) {
+            if (!apr_isalnum(*sp)) {
+                *cp++ = '\\';
+            }
+            *cp++ = *sp++;
+        }
+        *cp = '\0';
+    }
+
+    dcfg->regexp_string = apr_pstrcat(p, "^",
+                                      cookie_name,
+                                      "=([^;,]+)|[;,][ \t]*",
+                                      cookie_name,
+                                      "=([^;,]+)", NULL);
 
     dcfg->regexp = ap_pregcomp(p, dcfg->regexp_string, REG_EXTENDED);
 }