From: William A. Rowe Jr <wrowe@apache.org>
Date: Thu, 22 Dec 2016 22:59:59 +0000 (+0000)
Subject: Backports: r1683123
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6160180773ac94c2d5858b7b6bc6204368aef9b;p=thirdparty%2Fapache%2Fhttpd.git

Backports: r1683123
Submitted by: ylavic
core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict@1775769 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 1402bb1926a..ec03c436a50 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,9 @@ Changes with Apache 2.2.32
   *) core: Enforce LimitRequestFieldSize after multiple headers with the same
      name have been merged. [Stefan Fritsch]
 
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
 Changes with Apache 2.2.31
 
   *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
diff --git a/server/protocol.c b/server/protocol.c
index 6876c0a4f99..31923c16539 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -738,7 +738,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
              */
             if (rv == APR_ENOSPC) {
                 const char *field_escaped;
-                if (field) {
+                if (field && len) {
                     /* ensure ap_escape_html will terminate correctly */
                     field[len - 1] = '\0';
                     field_escaped = ap_escape_html(r->pool, field);
@@ -777,18 +777,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                 apr_size_t fold_len = last_len + len + 1; /* trailing null */
 
                 if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
+                    const char *field_escaped;
+
                     r->status = HTTP_BAD_REQUEST;
                     /* report what we have accumulated so far before the
                      * overflow (last_field) as the field with the problem
                      */
+                    field_escaped = ap_escape_html(r->pool, last_field);
                     apr_table_setn(r->notes, "error-notes",
                                    apr_psprintf(r->pool,
                                                "Size of a request header field "
                                                "after folding "
                                                "exceeds server limit.<br />\n"
-                                               "<pre>\n%.*s\n</pre>\n",
-                                               field_name_len(last_field),
-                                               ap_escape_html(r->pool, last_field)));
+                                               "<pre>\n%.*s\n</pre>\n", 
+                                               field_name_len(field_escaped), 
+                                               field_escaped));
                     ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                                   "Request header exceeds LimitRequestFieldSize "
                                   "after folding: %.*s",