core, protocol: reject invalid Content-Length ASAP.

Don't let invalid invalid Content-Length header go beyond ap_read_request()
and protocol validation. The check in ap_http_filter() is still useful if
some modules mangles the header, but it's too late for the usual case.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877955 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/protocol.c b/server/protocol.c
index aeff2d20020cf9c5250df4c85d59815a15ed8728..76baabbe291b5b63de990e0f814e541e1c268db0 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1493,7 +1493,7 @@ request_rec *ap_read_request(conn_rec *conn)
     apply_server_config(r);
 
     if (!r->assbackwards) {
-        const char *tenc;
+        const char *tenc, *clen;
 
         ap_get_mime_headers_core(r, tmp_bb);
         apr_brigade_cleanup(tmp_bb);
@@ -1528,6 +1528,17 @@ request_rec *ap_read_request(conn_rec *conn)
              */
             apr_table_unset(r->headers_in, "Content-Length");
         }
+        else if ((clen = apr_table_get(r->headers_in, "Content-Length"))) {
+            apr_off_t cl;
+
+            if (!ap_parse_strict_length(&cl, clen)) {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10242)
+                              "client sent invalid Content-Length "
+                              "(%s): %s", clen, r->uri);
+                access_status = HTTP_BAD_REQUEST;
+                goto die_unusable_input;
+            }
+        }
     }
 
     /*