[mod_cgi] fix assert if empty X-Sendfile path (fixes #3062)

(thx axe34)

Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile.  If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"

x-ref:
  "Server Aborted due to Malicious Data sent through CGI Sendfile"
  https://redmine.lighttpd.net/issues/3062

1 files changed, 8 insertions, 0 deletions

diff --git a/src/http-header-glue.c b/src/http-header-glue.c
index 2ed9d45b..6531843c 100644
--- a/src/http-header-glue.c
+++ b/src/http-header-glue.c
@@ -737,6 +737,10 @@ static void http_response_xsendfile (request_st * const r, buffer * const path,
 	if (r->conf.force_lowercase_filenames) {
 		buffer_to_lower(path);
 	}
+	if (buffer_string_is_empty(path)) {
+		r->http_status = 502;
+		valid = 0;
+	}
 
 	/* check that path is under xdocroot(s)
 	 * - xdocroot should have trailing slash appended at config time
@@ -815,6 +819,10 @@ static void http_response_xsendfile2(request_st * const r, const buffer * const
         if (r->conf.force_lowercase_filenames) {
             buffer_to_lower(b);
         }
+        if (buffer_string_is_empty(b)) {
+            r->http_status = 502;
+            break;
+        }
         if (xdocroot) {
             size_t i, xlen = buffer_string_length(b);
             for (i = 0; i < xdocroot->used; ++i) {