From: Paul Querna Date: Sat, 1 Apr 2006 06:18:02 +0000 (+0000) Subject: Merge r354630 from trunk: X-Git-Tag: 2.2.1~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79c679c6b658b1ead699b226cdef8e91ebf45e38;p=thirdparty%2Fapache%2Fhttpd.git Merge r354630 from trunk: If a connection aborts while waiting for a chunked line, flag the connection as errored out and send errors upwards. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@390595 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 49cf050167f..483e8fde77c 100644 --- a/CHANGES +++ b/CHANGES @@ -14,6 +14,9 @@ Changes with Apache 2.2.1 made to ap_escape_html so we escape quotes. Reported by JPCERT. [Mark Cox] + *) http: If a connection is aborted while waiting for a chunked line, + flag the connection as errored out. [Justin Erenkrantz] + *) core: Reject invalid Expect header immediately. PR 38123. [Ruediger Pluem] diff --git a/STATUS b/STATUS index 1cb6d7ba60b..8397b606d18 100644 --- a/STATUS +++ b/STATUS @@ -75,14 +75,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * HTTP: If a connection aborts while waiting for a chunked line, - flag the connection as errored out. - http://svn.apache.org/viewcvs.cgi?rev=354630&view=rev - Message-ID: <4395A056.2070000@web.turner.com> - +1: jerenkrantz, jim, wrowe - -0: niq: Please explain why return value of ap_pass_brigade is - put into a variable and immediately discarded. - PATCHES PROPOSED TO BACKPORT FROM TRUNK: * mod_dbd: When threaded, create a private pool in child_init diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index 28811623478..55cb876ecce 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -215,11 +215,12 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, if (rv == APR_SUCCESS) { /* We have to check the length of the brigade we got back. - * We will not accept partial lines. + * We will not accept partial or blank lines. */ rv = apr_brigade_length(bb, 1, &brigade_length); if (rv == APR_SUCCESS - && brigade_length > f->r->server->limit_req_line) { + && (!brigade_length || + brigade_length > f->r->server->limit_req_line)) { rv = APR_ENOSPC; } if (rv == APR_SUCCESS) { @@ -277,6 +278,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, char line[30]; apr_bucket_brigade *bb; apr_size_t len = 30; + apr_status_t http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc); @@ -292,7 +294,14 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, if (rv == APR_SUCCESS) { rv = apr_brigade_flatten(bb, line, &len); if (rv == APR_SUCCESS) { - ctx->remaining = get_chunk_size(line); + /* Wait a sec, that's a blank line! Oh no. */ + if (!len) { + rv = APR_EGENERAL; + http_error = HTTP_SERVICE_UNAVAILABLE; + } + else { + ctx->remaining = get_chunk_size(line); + } } } apr_brigade_cleanup(bb); @@ -300,16 +309,19 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, /* Detect chunksize error (such as overflow) */ if (rv != APR_SUCCESS || ctx->remaining < 0) { + apr_status_t out_error; + ctx->remaining = 0; /* Reset it in case we have to * come back here later */ - e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, + e = ap_bucket_error_create(http_error, NULL, f->r->pool, f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); e = apr_bucket_eos_create(f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, e); ctx->eos_sent = 1; - return ap_pass_brigade(f->r->output_filters, bb); + out_error = ap_pass_brigade(f->r->output_filters, bb); + return rv; } if (!ctx->remaining) {