Lighttpd

Requesting a document through the mod_secdownload mechanism causes a segfault if that document doesn't exist but the URL is otherwise fine according to mod_secdownload.

This might not be limited to mod_secdownload since the segfault happens in response.c.

If the file is not found, rel_path is not set, but http_response_prepare looks at rel_path->ptrr0 without checking for an empty buffer.

A quick fix is to add a check to http_response_prepare in response.c around line 1092:

/* not found, perhaps PATHINFO */

if (con->physical.rel_path->used && /* <<< ADD THIS CHECK <<< */
    con->physical.rel_path->ptr[0] == '/') {
    buffer_copy_string_len(srv->tmp_buf, con->physical.rel_path->ptr + 1, con->physical.rel_path->used - 2);
} else {
    buffer_copy_string_buffer(srv->tmp_buf, con->physical.rel_path);
}

A similar problem may exist at line 1033 in the same file, but I haven't been able to cause a crash there.

-- scott