BUG/MEDIUM: contrib/modsecurity: If host header is NULL, don't try to strdup it

I discovered this bug when running OWASP regression tests against HAProxy +
modsecurity-spoa (it's a POC to evaluate how it is working).  I found out that
modsecurity spoa will crash when the request doesn't have any Host header.

See the pull request #86 on github for details.

This patch must be backported to 1.9 and 1.8.
This commit is contained in:
Yann Cézard 2019-04-25 14:30:23 +02:00 committed by Christopher Faulet
parent 494ddbff47
commit bf60f6b803

View File

@ -325,7 +325,11 @@ int modsecurity_process(struct worker *worker, struct modsecurity_parameters *pa
req->content_type = apr_table_get(req->headers_in, "Content-Type");
req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding");
req->hostname = apr_table_get(req->headers_in, "Host");
req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname));
if (req->hostname != NULL) {
req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname));
} else {
req->parsed_uri.hostname = NULL;
}
lang = apr_table_get(req->headers_in, "Content-Languages");
if (lang != NULL) {