*) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
[Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+ *) core: Limit to ten the number of tolerated empty lines between request.
+ [Yann Ylavic]
+
*) Core: reject NULLs in request line or request headers.
PR 43039 [Nick Kew]
#ifndef DEFAULT_LIMIT_REQUEST_FIELDS
#define DEFAULT_LIMIT_REQUEST_FIELDS 100
#endif
+/** default/hard limit on number of leading/trailing empty lines */
+#ifndef DEFAULT_LIMIT_BLANK_LINES
+#define DEFAULT_LIMIT_BLANK_LINES 10
+#endif
/**
* The default default character set name to add if AddDefaultCharset is
unsigned int major = 1, minor = 0; /* Assume HTTP/1.0 if non-"HTTP" protocol */
char http[5];
apr_size_t len;
- int num_blank_lines = 0;
- int max_blank_lines = r->server->limit_req_fields;
-
- if (max_blank_lines <= 0) {
- max_blank_lines = DEFAULT_LIMIT_REQUEST_FIELDS;
- }
+ int num_blank_lines = DEFAULT_LIMIT_BLANK_LINES;
/* Read past empty lines until we get a real request line,
* a read error, the connection closes (EOF), or we timeout.
r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
return 0;
}
- } while ((len <= 0) && (++num_blank_lines < max_blank_lines));
+ } while ((len <= 0) && (--num_blank_lines >= 0));
r->request_time = apr_time_now();
ll = r->the_request;
uri = ap_getword_white(r->pool, &ll);
+ if (!*r->method || !*uri) {
+ r->status = HTTP_BAD_REQUEST;
+ r->proto_num = HTTP_VERSION(1,0);
+ r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
+ return 0;
+ }
+
/* Provide quick information about the request method as soon as known */
r->method_number = ap_method_number_of(r->method);
}
ap_parse_uri(r, uri);
+ if (r->status != HTTP_OK) {
+ r->proto_num = HTTP_VERSION(1,0);
+ r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
+ return 0;
+ }
if (ll[0]) {
r->assbackwards = 0;
projects / thirdparty / apache / httpd.git / commitdiff
