Amend security_response_id being release before displaying it

estringana · estringana · commit 18708c1b95ad · 2025-11-19T12:06:59.000+01:00
diff --git a/appsec/src/extension/request_abort.c b/appsec/src/extension/request_abort.c
@@ -375,12 +375,17 @@ void dd_request_abort_redirect(void)
                 ? ZSTR_VAL(_block_parameters->security_response_id)
                 : "");
     } else {
+        zend_string *security_response_id = NULL;
+        if (_block_parameters->security_response_id) {
+            security_response_id =
+                zend_string_dup(_block_parameters->security_response_id, 0);
+        }
         _emit_error("Datadog blocked the request and attempted a redirection "
                     "to %s. No action required. Security Response ID: %s",
             ZSTR_VAL(_block_parameters->redirection_location),
-            _block_parameters->security_response_id
-                ? ZSTR_VAL(_block_parameters->security_response_id)
-                : "");
+            security_response_id ? ZSTR_VAL(security_response_id) : "");
+        zend_string_release(security_response_id);
+        security_response_id = NULL;
     }
 }
 
@@ -462,11 +467,16 @@ void _request_abort_static_page(int response_code, int type)
                 ? ZSTR_VAL(_block_parameters->security_response_id)
                 : "");
     } else {
+        zend_string *security_response_id = NULL;
+        if (_block_parameters->security_response_id) {
+            security_response_id =
+                zend_string_dup(_block_parameters->security_response_id, 0);
+        }
         _emit_error("Datadog blocked the request and presented a static error "
                     "page. No action required. Security Response ID: %s",
-            _block_parameters->security_response_id
-                ? ZSTR_VAL(_block_parameters->security_response_id)
-                : "");
+            security_response_id ? ZSTR_VAL(security_response_id) : "");
+        zend_string_release(security_response_id);
+        security_response_id = NULL;
     }
 }
 
@@ -552,13 +562,18 @@ static bool _abort_prelude(void)
                     ? ZSTR_VAL(_block_parameters->security_response_id)
                     : "");
         } else {
+            zend_string *security_response_id = NULL;
+            if (_block_parameters->security_response_id) {
+                security_response_id =
+                    zend_string_dup(_block_parameters->security_response_id, 0);
+            }
             _emit_error(
                 "Datadog blocked the request, but the response has already "
                 "been partially committed. No action required. Security "
                 "Response ID: %s",
-                _block_parameters->security_response_id
-                    ? ZSTR_VAL(_block_parameters->security_response_id)
-                    : "");
+                security_response_id ? ZSTR_VAL(security_response_id) : "");
+            zend_string_release(security_response_id);
+            security_response_id = NULL;
         }
         return false;
     }
