summaryrefslogblamecommitdiffstats
path: root/patches/source/subversion/subversion.CVE-2016-2168.diff
blob: 24741ca66be3bd7c036b7f7b475b2f4400190c29 (plain) (tree) 
8ff4f2f51
































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
































                                                                                           
--- ./subversion/mod_authz_svn/mod_authz_svn.c.orig	2015-07-26 19:23:40.000000000 -0500
+++ ./subversion/mod_authz_svn/mod_authz_svn.c	2016-04-30 15:03:26.649048795 -0500
@@ -415,6 +415,8 @@
 
   if (r->method_number == M_MOVE || r->method_number == M_COPY)
     {
+      apr_status_t status;
+
       dest_uri = apr_table_get(r->headers_in, "Destination");
 
       /* Decline MOVE or COPY when there is no Destination uri, this will
@@ -423,7 +425,19 @@
       if (!dest_uri)
         return DECLINED;
 
-      apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+      status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
+      if (status)
+        {
+          ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+                        "Invalid URI in Destination header");
+          return HTTP_BAD_REQUEST;
+        }
+      if (!parsed_dest_uri.path)
+        {
+          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                        "Invalid URI in Destination header");
+          return HTTP_BAD_REQUEST;
+        }
 
       ap_unescape_url(parsed_dest_uri.path);
       dest_uri = parsed_dest_uri.path;
generated by cgit v1.2.3 (git 2.26.2) at 2024-04-25 05:50:35 +0000