From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 6 Jul 2015 23:37:16 +0000 (+0000)
Subject: Merge r1688536 and r1688538 from trunk.
X-Git-Tag: 2.2.30~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=688d1977d1271add67fc9fd13bbcda15cce4ce45;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1688536 and r1688538 from trunk.

http: follow up to r1685345, also needed in 2.4.x/2.2.x by r1686271/r1687339.
Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat BWS
from multiple reads.

http: follow up to r1685345.
Be lenient up to 10 (room for 32bit decimals) Bad White Spaces (BWS)
between chunk-size and chunk-ext/CRLF.

Submitted by: ylavic
Reviewed by: ylavic, wrowe, mrumph


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1689522 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 855a281792c..1cf3626ca26 100644
--- a/STATUS
+++ b/STATUS
@@ -101,14 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) http: follow up to r1686271 (trunk) => r1686271 (2.4.x)
-     Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat
-     BWS from multiple reads, and limit number of chunk-BWS to 10.
-     trunk patch: http://svn.apache.org/r1688536
-                  http://svn.apache.org/r1688538
-     2.2.x patch: trunk works
-     +1: ylavic, wrowe, mrumph
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 13181fec2eb..006af7ef09d 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -62,6 +62,7 @@ typedef struct http_filter_ctx
     apr_off_t limit;
     apr_off_t limit_used;
     apr_int32_t chunk_used;
+    apr_int32_t chunk_bws;
     apr_int32_t chunkbits;
     enum
     {
@@ -174,6 +175,7 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             ctx->remaining = 0;
             ctx->chunkbits = sizeof(apr_off_t) * 8;
             ctx->chunk_used = 0;
+            ctx->chunk_bws = 0;
         }
 
         if (c == LF) {
@@ -205,7 +207,12 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             }
         }
         else if (c == ' ' || c == '\t') {
+            /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
+             */
             ctx->state = BODY_CHUNK_CR;
+            if (++ctx->chunk_bws > 10) {
+                return APR_EINVAL;
+            }
         }
         else if (ctx->state == BODY_CHUNK_CR) {
             /*
@@ -483,6 +490,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
         case BODY_CHUNK:
         case BODY_CHUNK_PART:
         case BODY_CHUNK_EXT:
+        case BODY_CHUNK_CR:
         case BODY_CHUNK_LF:
         case BODY_CHUNK_END:
         case BODY_CHUNK_END_LF: {