summaryrefslogtreecommitdiffstats
path: root/patches/source/subversion/subversion.CVE-2016-2168.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/subversion/subversion.CVE-2016-2168.diff')
-rw-r--r--patches/source/subversion/subversion.CVE-2016-2168.diff32
1 files changed, 32 insertions, 0 deletions
diff --git a/patches/source/subversion/subversion.CVE-2016-2168.diff b/patches/source/subversion/subversion.CVE-2016-2168.diff
new file mode 100644
index 00000000..24741ca6
--- /dev/null
+++ b/patches/source/subversion/subversion.CVE-2016-2168.diff
@@ -0,0 +1,32 @@
+--- ./subversion/mod_authz_svn/mod_authz_svn.c.orig 2015-07-26 19:23:40.000000000 -0500
++++ ./subversion/mod_authz_svn/mod_authz_svn.c 2016-04-30 15:03:26.649048795 -0500
+@@ -415,6 +415,8 @@
+
+ if (r->method_number == M_MOVE || r->method_number == M_COPY)
+ {
++ apr_status_t status;
++
+ dest_uri = apr_table_get(r->headers_in, "Destination");
+
+ /* Decline MOVE or COPY when there is no Destination uri, this will
+@@ -423,7 +425,19 @@
+ if (!dest_uri)
+ return DECLINED;
+
+- apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ if (status)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
++ if (!parsed_dest_uri.path)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
+
+ ap_unescape_url(parsed_dest_uri.path);
+ dest_uri = parsed_dest_uri.path;