From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 24 Jun 2015 18:04:49 +0000 (+0000)
Subject: Merge r1685345, r1685347, r1685349 and r1685350 from trunk.
X-Git-Tag: 2.2.30~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ef157ba2af1efad5cf110579e339117df25135a;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1685345, r1685347, r1685349 and r1685350 from trunk.

core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.

Submitted by: ylavic, trawick
Reviewed by: ylavic, wrowe, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1687339 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8a97211e720..75052ab0d49 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,9 @@ Changes with Apache 2.2.30
      Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
      authorized characters.  [Graham Leggett, Yann Ylavic]
 
+  *) core: Allow spaces after chunk-size for compatibility with implementations
+     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]
+
   *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
      no longer send warning-level unrecognized_name(112) alerts. PR 56241.
      [Kaspar Brand]
diff --git a/STATUS b/STATUS
index dc7ae87b14b..044e1bd663f 100644
--- a/STATUS
+++ b/STATUS
@@ -101,42 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
-     core: Fix chunk header parsing defect.
-     Remove apr_brigade_flatten(), buffering and duplicated code from
-     the HTTP_IN filter, parse chunks in a single pass with zero copy.
-     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
-     authorized characters.  [Graham Leggett, Yann Ylavic]
-  Submitted by: minfrin, ylavic
-  Reviewed by: ylavic, wrowe,
-  Backports: 1484852, 1684513
-  Reported by: regilero <regis.leroy makina-corpus.com>
-
-  trunk
-    http://svn.apache.org/r1484852
-    http://svn.apache.org/r1684513
-  2.4.x branch
-    http://svn.apache.org/r1684515
-  2.2.x branch
-    http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
-  +1: ylavic, wrowe, minfrin
-  jim notes: test framework errors due to 413->400 error change [test adjusted]
-  wrowe notes: r1684513 was not neglected in this patch, already included
-
-  *) core: Allow spaces after chunk-size for compatibility with implementations
-     using a pre-filled buffer.
-     trunk patch: http://svn.apache.org/r1685345
-                  http://svn.apache.org/r1685347
-                  http://svn.apache.org/r1685349
-                  http://svn.apache.org/r1685350
-     2.[24].x patch: http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
-                     (trunk works but CHANGES entry in the above patch is
-                      better since the APLOG_INFO part is already included
-                      in the CVE-2015-3183 patch)
-     +1: ylavic, wrowe, minfrin
-     ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
-             above must be applied first.
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 5e190cb5fea..94cac96f819 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -70,10 +70,11 @@ typedef struct http_filter_ctx
         BODY_CHUNK, /* chunk expected */
         BODY_CHUNK_PART, /* chunk digits */
         BODY_CHUNK_EXT, /* chunk extension */
-        BODY_CHUNK_LF, /* got CR, expect LF after digits/extension */
+        BODY_CHUNK_CR, /* got space(s) after digits, expect [CR]LF or ext */
+        BODY_CHUNK_LF, /* got CR after digits or ext, expect LF */
         BODY_CHUNK_DATA, /* data constrained by chunked encoding */
         BODY_CHUNK_END, /* chunked data terminating CRLF */
-        BODY_CHUNK_END_LF, /* got CR, expect LF after data */
+        BODY_CHUNK_END_LF, /* got CR after data, expect LF */
         BODY_CHUNK_TRAILER /* trailers */
     } state;
     unsigned int eos_sent :1;
@@ -203,6 +204,15 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
                 return APR_EINVAL;
             }
         }
+        else if (c == ' ' || c == '\t') {
+            ctx->state = BODY_CHUNK_CR;
+        }
+        else if (ctx->state == BODY_CHUNK_CR) {
+            /*
+             * ';', CR or LF expected.
+             */
+            return APR_EINVAL;
+        }
         else if (ctx->state == BODY_CHUNK_PART) {
             int xvalue;