Backports: r892678

author William A. Rowe Jr <wrowe@apache.org>

Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)

committer William A. Rowe Jr <wrowe@apache.org>

Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)
author William A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)
committer William A. Rowe Jr <wrowe@apache.org>
Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)
diff --git a/CHANGES b/CHANGES

index bd8b050ffe2ed5f19c540573635e0ed77b2f36e0..400717da69f2b747282bad2f2d16be1e41d4c95f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,8 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.2.32
  
-
+  *) Core: reject NULLs in request line or request headers.
+     PR 43039 [Nick Kew]
  
  Changes with Apache 2.2.31
  
diff --git a/server/protocol.c b/server/protocol.c

index f078b2f2e442dfb76c2053162c4f143346ca318e..84d60983a5f525ba9e7e62f6a77a08d64da324b0 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -433,8 +433,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
              }
          }
      }
-
      *read = bytes_handled;
+
+    /* PR#43039: We shouldn't accept NULL bytes within the line */
+    if (strlen(*s) < bytes_handled - 1) {
+        return APR_EINVAL;
+    }
+
      return APR_SUCCESS;
  }
  
@@ -609,6 +614,9 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
              else if (APR_STATUS_IS_TIMEUP(rv)) {
                  r->status = HTTP_REQUEST_TIME_OUT;
              }
+            else if (rv == APR_EINVAL) {
+                r->status = HTTP_BAD_REQUEST;
+            }
              r->proto_num = HTTP_VERSION(1,0);
              r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
              return 0;
@@ -923,9 +931,16 @@ request_rec *ap_read_request(conn_rec *conn)
  
      /* Get the request... */
      if (!read_request_line(r, tmp_bb)) {
-        if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
-            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+        if (r->status == HTTP_REQUEST_URI_TOO_LARGE
+            || r->status == HTTP_BAD_REQUEST) {
+            if (r->status == HTTP_BAD_REQUEST) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "request failed: invalid characters in URI");
+            }
+            else {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                              "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+            }
              ap_send_error_response(r, 0);
              ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
              ap_run_log_transaction(r);
author	William A. Rowe Jr <wrowe@apache.org>
	Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)
committer	William A. Rowe Jr <wrowe@apache.org>
	Thu, 22 Dec 2016 18:39:40 +0000 (18:39 +0000)
CHANGES		patch \| blob \| blame \| history
server/protocol.c		patch \| blob \| blame \| history