From bf60f6b8033deddc86de5357d6099c7593fe44cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yann=20C=C3=A9zard?= Date: Thu, 25 Apr 2019 14:30:23 +0200 Subject: [PATCH] BUG/MEDIUM: contrib/modsecurity: If host header is NULL, don't try to strdup it I discovered this bug when running OWASP regression tests against HAProxy + modsecurity-spoa (it's a POC to evaluate how it is working). I found out that modsecurity spoa will crash when the request doesn't have any Host header. See the pull request #86 on github for details. This patch must be backported to 1.9 and 1.8. --- contrib/modsecurity/modsec_wrapper.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/contrib/modsecurity/modsec_wrapper.c b/contrib/modsecurity/modsec_wrapper.c index 1daaddbd5..370682bcf 100644 --- a/contrib/modsecurity/modsec_wrapper.c +++ b/contrib/modsecurity/modsec_wrapper.c @@ -325,7 +325,11 @@ int modsecurity_process(struct worker *worker, struct modsecurity_parameters *pa req->content_type = apr_table_get(req->headers_in, "Content-Type"); req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding"); req->hostname = apr_table_get(req->headers_in, "Host"); - req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname)); + if (req->hostname != NULL) { + req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname)); + } else { + req->parsed_uri.hostname = NULL; + } lang = apr_table_get(req->headers_in, "Content-Languages"); if (lang != NULL) {