RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-01 22:48:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: contrib/modsecurity: If host header is NULL, don't try to strdup it

Browse Source 
I discovered this bug when running OWASP regression tests against HAProxy +
modsecurity-spoa (it's a POC to evaluate how it is working).  I found out that
modsecurity spoa will crash when the request doesn't have any Host header.

See the pull request  on github for details.

This patch must be backported to 1.9 and 1.8.
This commit is contained in:
Yann Cézard 2019-04-25 14:30:23 +02:00 committed by Christopher Faulet
parent 494ddbff47
commit bf60f6b803
1 changed files with 5 additions and 1 deletions

4
contrib/modsecurity/modsec_wrapper.c
View File

@ -325,7 +325,11 @@ int modsecurity_process(struct worker *worker, struct modsecurity_parameters *pa
req->content_type = apr_table_get(req->headers_in, "Content-Type");
req->content_encoding = apr_table_get(req->headers_in, "Content-Encoding");
req->hostname = apr_table_get(req->headers_in, "Host");
if (req->hostname != NULL) {
req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname));
} else {
req->parsed_uri.hostname = NULL;
}
lang = apr_table_get(req->headers_in, "Content-Languages");
if (lang != NULL) {