Fixed an infinite loop for references above the server root.

PR:	748
Submitted by:	Dean Gaudet
Reviewed by:	Brian Behlendorf


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3@78847 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 7 insertions, 0 deletions

diff --git a/APACHE_1_2_X/src/CHANGES b/APACHE_1_2_X/src/CHANGES
index 41e377d4e0..66f438959a 100644
--- a/APACHE_1_2_X/src/CHANGES
+++ b/APACHE_1_2_X/src/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 1.2.2
 
+  *) Fixed an infinite loop in mod_imap for references above the server root
+     [Dean Gaudet] PR#748
+
   *) mod_include cleanup showed that handle_else was being used to handle
      endif.  It didn't cause problems, but it was cleaned up too.
      [Howard Fear]
diff --git a/APACHE_1_2_X/src/modules/standard/mod_imap.c b/APACHE_1_2_X/src/modules/standard/mod_imap.c
index e65925b5a3..11d7fe7382 100644
--- a/APACHE_1_2_X/src/modules/standard/mod_imap.c
+++ b/APACHE_1_2_X/src/modules/standard/mod_imap.c
@@ -475,6 +475,10 @@ void imap_url(request_rec *r, char *base, char *value, char *url)
 	  }
 
 	  value += 2;      /* jump over the '..' that we found in the value */
+      } else if (directory) {
+	url[0] = '\0';
+	log_reason("invalid directory name in map file", r->uri, r);
+	return;
       }
       
       if (! strncmp(value, "/../", 4) || ! strcmp(value, "/..") )