Backports: r1683123

author William A. Rowe Jr <wrowe@apache.org>

Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)

committer William A. Rowe Jr <wrowe@apache.org>

Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)
author William A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)
committer William A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)
diff --git a/CHANGES b/CHANGES

index 1402bb1926a6e847f41cfc3e8df2fb07d0096ab8..ec03c436a507266d3569b3aac5dd6feb5c3514b4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,9 @@ Changes with Apache 2.2.32
    *) core: Enforce LimitRequestFieldSize after multiple headers with the same
       name have been merged. [Stefan Fritsch]
  
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
  Changes with Apache 2.2.31
  
    *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
diff --git a/server/protocol.c b/server/protocol.c

index 6876c0a4f9998ab5900f6f2e6a801dd7b931bae9..31923c1653994fc5c96eff35954efec8793323e8 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -738,7 +738,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
               */
              if (rv == APR_ENOSPC) {
                  const char *field_escaped;
-                if (field) {
+                if (field && len) {
                      /* ensure ap_escape_html will terminate correctly */
                      field[len - 1] = '\0';
                      field_escaped = ap_escape_html(r->pool, field);
@@ -777,18 +777,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                  apr_size_t fold_len = last_len + len + 1; /* trailing null */
  
                  if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
+                    const char *field_escaped;
+
                      r->status = HTTP_BAD_REQUEST;
                      /* report what we have accumulated so far before the
                       * overflow (last_field) as the field with the problem
                       */
+                    field_escaped = ap_escape_html(r->pool, last_field);
                      apr_table_setn(r->notes, "error-notes",
                                     apr_psprintf(r->pool,
                                                 "Size of a request header field "
                                                 "after folding "
                                                 "exceeds server limit.<br />\n"
-                                               "<pre>\n%.*s\n</pre>\n",
-                                               field_name_len(last_field),
-                                               ap_escape_html(r->pool, last_field)));
+                                               "<pre>\n%.*s\n</pre>\n", 
+                                               field_name_len(field_escaped), 
+                                               field_escaped));
                      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                                    "Request header exceeds LimitRequestFieldSize "
                                    "after folding: %.*s",
author	William A. Rowe Jr <wrowe@apache.org>
	Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)
committer	William A. Rowe Jr <wrowe@apache.org>
	Thu, 22 Dec 2016 22:59:59 +0000 (22:59 +0000)
CHANGES		patch \| blob \| blame \| history
server/protocol.c		patch \| blob \| blame \| history