From: Stefan Fritsch <sf@apache.org>
Date: Wed, 28 Sep 2011 21:48:45 +0000 (+0000)
Subject: Backport r1175980, r1175992:
X-Git-Tag: 2.2.22~140
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fe25279e8dfe16338ef1c0dde3ca7a58f567473;p=thirdparty%2Fapache%2Fhttpd.git

Backport r1175980, r1175992:

    byterange: Range of '0-' returns 206

Submitted by: Jim Jagielski
Reviewed by: jim, rpluem, rjung, sf


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1177080 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 6bb8a235c70..67fe277dcba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.22
 
-
+ *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
+    A range of '0-' returns a 206. PR 51878. [Jim Jagielski]
 
 Changes with Apache 2.2.21
 
diff --git a/STATUS b/STATUS
index 4308cb872bb..b03b860ae4e 100644
--- a/STATUS
+++ b/STATUS
@@ -94,13 +94,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * byterange: Range of '0-' returns 206.
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1175980
-                 http://svn.apache.org/viewvc?view=revision&revision=1175992
-    2.2.x patch: http://people.apache.org/~jim/patches/2.2-byterange0-.txt
-    +1: jim, rpluem, rjung, sf
-    sf says: please also mention PR 51878 in CHANGES
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/http/byterange_filter.c b/modules/http/byterange_filter.c
index ef3c79f7ee5..67a516ae3d1 100644
--- a/modules/http/byterange_filter.c
+++ b/modules/http/byterange_filter.c
@@ -500,6 +500,20 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
             }
             else {                  /* "5-" */
                 end = clength - 1;
+                /*
+                 * special case: 0-
+                 *   ignore all other ranges provided
+                 *   return as a single range: 0-
+                 */
+                if (start == 0) {
+                    apr_array_clear(*indexes);
+                    idx = (indexes_t *)apr_array_push(*indexes);
+                    idx->start = start;
+                    idx->end = end;
+                    sum_lengths = clength;
+                    num_ranges = 1;
+                    break;
+                }
             }
         }
 
@@ -526,9 +540,9 @@ static int ap_set_byterange(request_rec *r, apr_off_t clength,
         /* If all ranges are unsatisfiable, we should return 416 */
         return -1;
     }
-    if (sum_lengths >= clength) {
+    if (sum_lengths > clength) {
         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "Sum of ranges not smaller than file, ignoring.");
+                      "Sum of ranges larger than file, ignoring.");
         return 0;
     }