$NetBSD: patch-CVE-2012-0021,v 1.1.2.2 2012/01/30 03:30:53 sbd Exp $

Fix security vulnerability reported in CVE-2012-0021. Patch taken from
Apache SVN repository:

http://svn.apache.org/viewvc?view=revision&revision=1227292

--- modules/loggers/mod_log_config.c.orig	2010-08-24 07:41:38.000000000 +0100
+++ modules/loggers/mod_log_config.c	2012-01-29 12:08:13.000000000 +0000
@@ -524,19 +524,21 @@
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            char *value;
-            apr_collapse_spaces(name, name);
+            if (name) {
+                char *value;
+                apr_collapse_spaces(name, name);
+
+                if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+                    char *last;
+                    value += strspn(value, " \t");  /* Move past leading WS */
+                    last = value + strlen(value) - 1;
+                    while (last >= value && apr_isspace(*last)) {
+                       *last = '\0';
+                       --last;
+                    }
 
-            if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
-                char *last;
-                value += strspn(value, " \t");  /* Move past leading WS */
-                last = value + strlen(value) - 1;
-                while (last >= value && apr_isspace(*last)) {
-                   *last = '\0';
-                   --last;
+                    return ap_escape_logitem(r->pool, value);
                 }
-
-                return ap_escape_logitem(r->pool, value);
             }
             cookies = NULL;
         }
