# SECURITY: CVE-2010-1452 (cve.mitre.org)
# mod_dav: Fix Handling of requests without a path segment.
# PR: 49246 [Mark Drayton, Jeff Trawick]
# Backports: r966348
Index: modules/dav/main/util.c
===================================================================
--- modules/dav/main/util.c	(revision 966476)
+++ modules/dav/main/util.c	(working copy)
@@ -624,7 +624,8 @@
             
             /* 2518 specifies this must be an absolute URI; just take the
              * relative part for later comparison against r->uri */
-            if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS) {
+            if (apr_uri_parse(r->pool, uri, &parsed_uri) != APR_SUCCESS
+                || !parsed_uri.path) {
                 return dav_new_error(r->pool, HTTP_BAD_REQUEST,
                                      DAV_ERR_IF_TAGGED,
                                      "Invalid URI in tagged If-header.");
Index: include/httpd.h
===================================================================
--- include/httpd.h	(revision 966476)
+++ include/httpd.h	(working copy)
@@ -866,7 +866,7 @@
 
     /** The URI without any parsing performed */
     char *unparsed_uri;	
-    /** The path portion of the URI */
+    /** The path portion of the URI, or "/" if no path provided */
     char *uri;
     /** The filename on disk corresponding to this response */
     char *filename;