From: Ruediger Pluem Date: Wed, 12 Mar 2014 11:50:49 +0000 (+0000) Subject: Merge r1556428 from trunk: X-Git-Tag: 2.2.27~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d0a4091ffa4ffae9cbe0556c299e012440e2177;p=thirdparty%2Fapache%2Fhttpd.git Merge r1556428 from trunk: SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. * modules/dav/main/util.c (dav_xml_get_cdata): reduce len variable when increasing cdata pointer. Submitted by: Amin Tora Reviewed by: breser, rpluem, gstein, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576706 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 0de9a9935c8..15bcb0d25ea 100644 --- a/STATUS +++ b/STATUS @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_dav: Fix string length calculation in dav_xml_get_cdata() - trunk patch: https://svn.apache.org/r1556428 - 2.2.x: trunk patch applies aka `svn merge -c 1556428 ^/httpd/httpd/trunk` - +1: breser, rpluem, gstein, wrowe - *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding TE/CL conflicts. [Yann Ylavic , Jim Jagielski] trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1524192 diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index ddbd6212180..ba856fa2880 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -372,8 +372,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t if (strip_white) { /* trim leading whitespace */ - while (apr_isspace(*cdata)) /* assume: return false for '\0' */ + while (apr_isspace(*cdata)) { /* assume: return false for '\0' */ ++cdata; + --len; + } /* trim trailing whitespace */ while (len-- > 0 && apr_isspace(cdata[len]))