From: Yann Ylavic Date: Fri, 3 Jul 2015 00:32:25 +0000 (+0000) Subject: Merge r1688274 from trunk. X-Git-Tag: 2.2.30~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=956dc8130fbe2c04d27426911e603af263262362;p=thirdparty%2Fapache%2Fhttpd.git Merge r1688274 from trunk. http: Fix LimitRequestBody checks when there is no more bytes to read. Submitted by: Michael Kaufmann Committed by: ylavic Reviewed by: ylavic, mrumph, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1688936 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 75052ab0d49..8b2edbe1bc5 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,9 @@ Changes with Apache 2.2.30 Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. [Graham Leggett, Yann Ylavic] + *) http: Fix LimitRequestBody checks when there is no more bytes to read. + [Michael Kaufmann ] + *) core: Allow spaces after chunk-size for compatibility with implementations using a pre-filled buffer. [Yann Ylavic, Jeff Trawick] diff --git a/STATUS b/STATUS index 5dc592b10d1..27f2a7cf81d 100644 --- a/STATUS +++ b/STATUS @@ -97,14 +97,6 @@ CURRENT RELEASE NOTES: RELEASE SHOWSTOPPERS: - *) http: Fix LimitRequestBody checks when there is no more bytes to read. - [Michael Kaufmann ] - trunk patch: http://svn.apache.org/r1688274 - 2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-fix_LimitRequestBody.patch - (modulo CHANGES, patch needed because of bail_out_on_error - and APLOGNO) - +1: ylavic, mrumph, wrowe - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index 94cac96f819..13181fec2eb 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -320,7 +320,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; - apr_off_t totalread; int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; apr_bucket_brigade *bb; int again; @@ -556,6 +555,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, readbytes = ctx->remaining; } if (readbytes > 0) { + apr_off_t totalread; rv = ap_get_brigade(f->next, b, mode, block, readbytes); @@ -598,6 +598,24 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, } } + /* We have a limit in effect. */ + if (ctx->limit) { + /* FIXME: Note that we might get slightly confused on + * chunked inputs as we'd need to compensate for the chunk + * lengths which may not really count. This seems to be up + * for interpretation. + */ + ctx->limit_used += totalread; + if (ctx->limit < ctx->limit_used) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, + "Read content length of " + "%" APR_OFF_T_FMT " is larger than the " + "configured limit of %" APR_OFF_T_FMT, + ctx->limit_used, ctx->limit); + return bail_out_on_error(ctx, f, + HTTP_REQUEST_ENTITY_TOO_LARGE); + } + } } /* If we have no more bytes remaining on a C-L request, @@ -609,21 +627,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, ctx->eos_sent = 1; } - /* We have a limit in effect. */ - if (ctx->limit) { - /* FIXME: Note that we might get slightly confused on chunked inputs - * as we'd need to compensate for the chunk lengths which may not - * really count. This seems to be up for interpretation. */ - ctx->limit_used += totalread; - if (ctx->limit < ctx->limit_used) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, - "Read content-length of %" APR_OFF_T_FMT - " is larger than the configured limit" - " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); - return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); - } - } - break; } case BODY_CHUNK_TRAILER: {