]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
Backports: r1178566
authorWilliam A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 18:57:26 +0000 (18:57 +0000)
committerWilliam A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 18:57:26 +0000 (18:57 +0000)
Submitted by: sf
Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict@1775699 13f79535-47bb-0310-9956-ffa450edef68

CHANGES
server/protocol.c

diff --git a/CHANGES b/CHANGES
index 400717da69f2b747282bad2f2d16be1e41d4c95f..5557aba1965ded445ad0fae6586ddc157db98afb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@ Changes with Apache 2.2.32
   *) Core: reject NULLs in request line or request headers.
      PR 43039 [Nick Kew]
 
+  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
+     name have been merged. [Stefan Fritsch]
+
 Changes with Apache 2.2.31
 
   *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
index b96d9c760f425ab3a62b59e3fe323d787002e0f2..f0faf0f261371375895c62a3381c0c2addc3d38e 100644 (file)
@@ -688,6 +688,23 @@ static int field_name_len(const char *field)
     return end - field;
 }
 
+static int table_do_fn_check_lengths(void *r_, const char *key,
+                                     const char *value)
+{
+    request_rec *r = r_;
+    if (value == NULL || r->server->limit_req_fieldsize >= strlen(value) )
+        return 1;
+
+    r->status = HTTP_BAD_REQUEST;
+    apr_table_setn(r->notes, "error-notes",
+                   apr_pstrcat(r->pool, "Size of a request header field "
+                               "after merging exceeds server limit.<br />"
+                               "\n<pre>\n",
+                               ap_escape_html(r->pool, key),
+                               "</pre>\n", NULL));
+    return 0;
+}
+
 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
 {
     char *last_field = NULL;
@@ -867,6 +884,9 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
      * field-name, following RFC 2616, 4.2.
      */
     apr_table_compress(r->headers_in, APR_OVERLAP_TABLES_MERGE);
+
+    /* enforce LimitRequestFieldSize for merged headers */
+    apr_table_do(table_do_fn_check_lengths, r, r->headers_in, NULL);
 }
 
 AP_DECLARE(void) ap_get_mime_headers(request_rec *r)