Merge r1556428 from trunk:

SECURITY: CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing leading spaces.

* modules/dav/main/util.c
  (dav_xml_get_cdata): reduce len variable when increasing cdata pointer.

Submitted by: Amin Tora <Amin.Tora neustar.biz>

Reviewed by: breser, rpluem, gstein, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576706 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 0de9a9935c882225207338a354987bcbb73b96ed..15bcb0d25ea41e28fbdcaed54621a52660a28fd2 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  * mod_dav: Fix string length calculation in dav_xml_get_cdata()
-    trunk patch: https://svn.apache.org/r1556428
-    2.2.x: trunk patch applies aka `svn merge -c 1556428 ^/httpd/httpd/trunk`
-    +1: breser, rpluem, gstein, wrowe
-
  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
     TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski] 
     trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1524192

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index ddbd621218024b33959aef2b997e652e0e14ae6f..ba856fa2880712c89555b4b5108d4b5b0d02d199 100644 (file)
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -372,8 +372,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t
 
     if (strip_white) {
         /* trim leading whitespace */
-        while (apr_isspace(*cdata))     /* assume: return false for '\0' */
+        while (apr_isspace(*cdata)) {     /* assume: return false for '\0' */
             ++cdata;
+            --len;
+        }
 
         /* trim trailing whitespace */
         while (len-- > 0 && apr_isspace(cdata[len]))