Merge r1026746 from trunk:

If an unknown Content-* header is received for a PUT request, we must not
ignore it but reply with 501 per RFC 2616 9.6.

PR: 42978

Submitted by: sf
Reviewed by: rpluem, covener, poirier

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1068310 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fe2c03370b52f3481471ed9ef1920fe4fcc549b4..1703fad57f1e89058f82904cde24be3164f2913a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.18
 
+  *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
+     request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
+
   *) mod_dav: Send 400 error if malformed Content-Range header is received for
      a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
 

diff --git a/STATUS b/STATUS
index 6e86cd115415b98f18ac27bd72f3aee58ad0377c..b03427fa299452491edf73a460a6b0fb7f645306 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -98,15 +98,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-304-fix-2.patch
      +1: minfrin, jim, covener
 
-  * mod_dav: If an unknown Content-* header is received for a PUT request, we
-    must not ignore it but reply with 501 per RFC 2616 9.6.
-    PR: 42978
-    Trunk version of patch:
-      http://svn.apache.org/viewvc?rev=1026746&view=rev
-    Backport version for 2.2.x of patch:
-      Trunk version of patch works
-    +1: rpluem, covener, poirier
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 90370c6cc32d44188da948e8d2139854059e21c5..a94a30562624b40311a806e0102d0e93ab50acc9 100644 (file)
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -812,6 +812,30 @@ static int dav_parse_range(request_rec *r,
     return 1;
 }
 
+static const char *dav_validate_content_headers(request_rec *r)
+{
+    int i, prefix_len = strlen("content-");
+    const apr_array_header_t *arr = apr_table_elts(r->headers_in);
+    const apr_table_entry_t *elts = (const apr_table_entry_t *)arr->elts;
+
+    for (i = 0; i < arr->nelts; ++i) {
+         if (elts[i].key == NULL)
+             continue;
+         if (strncasecmp(elts[i].key, "content-", prefix_len) == 0
+             && strcasecmp(elts[i].key + prefix_len, "length") != 0
+             && strcasecmp(elts[i].key + prefix_len, "range") != 0
+             /* Content-Location may be ignored per RFC 2616 14.14 */
+             && strcasecmp(elts[i].key + prefix_len, "location") != 0
+             && strcasecmp(elts[i].key + prefix_len, "type") != 0)
+         {
+             /* XXX: content-md5? content-language? content-encoding? */
+             return apr_psprintf(r->pool, "Support for %s is not implemented.",
+                                 ap_escape_html(r->pool, elts[i].key));
+         }
+    }
+    return NULL;
+}
+
 /* handle the GET method */
 static int dav_method_get(request_rec *r)
 {
@@ -959,6 +983,14 @@ static int dav_method_put(request_rec *r)
         mode = DAV_MODE_WRITE_TRUNC;
     }
 
+    if ((body = dav_validate_content_headers(r)) != NULL) {
+        /* RFC 2616 9.6: We must not ignore any Content-* headers we do not
+         * understand.
+         * XXX: Relax this for HTTP 1.0 requests?
+         */
+        return dav_error_response(r, HTTP_NOT_IMPLEMENTED, body);
+    }
+
     /* make sure the resource can be modified (if versioning repository) */
     if ((err = dav_auto_checkout(r, resource,
                                  0 /* not parent_only */,