From 87367647decd3415021f9654958f3a987f245fd1 Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Thu, 23 May 2013 12:52:06 +0000
Subject: [PATCH] CVE-2013-1896

mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault.

Submitted by: Ben Reser <ben reser.org>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1485668 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                    |  5 +++++
 modules/dav/main/mod_dav.c | 11 ++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 41c503144d..145a503240 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
+     the source href (sent as part of the request body as XML) pointing to a
+     URI that is not configured for DAV will trigger a segfault. [Ben Reser
+     <ben reser.org>]
+
   *) mod_logio: new format-specifier %C (combined) which is the sum of received
      and sent byte counts.
      PR54015 [Christophe Jaillet]
diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 1d204e048f..2e040a7190 100644
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -709,6 +709,12 @@ static dav_error *dav_get_resource(request_rec *r, int label_allowed,
 
     conf = ap_get_module_config(r->per_dir_config, &dav_module);
     /* assert: conf->provider != NULL */
+    if (conf->provider == NULL) {
+        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
+                             apr_psprintf(r->pool,
+				          "DAV not enabled for %s",
+					  ap_escape_html(r->pool, r->uri)));
+    }
 
     /* resolve the resource */
     err = (*conf->provider->repos->get_resource)(r, conf->dir,
@@ -2691,11 +2697,6 @@ static int dav_method_copymove(request_rec *r, int is_move)
                                   "Destination URI had an error.");
     }
 
-    if (dav_get_provider(lookup.rnew) == NULL) {
-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
-                                  "DAV not enabled for Destination URI.");
-    }
-
     /* Resolve destination resource */
     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
                            0 /* use_checked_in */, &resnew);
-- 
2.40.0