From: Jim Jagielski Date: Tue, 9 Jul 2002 14:47:24 +0000 (+0000) Subject: Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However, X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aca9f131f321c412e1ea071948d2c3b17d8af9a9;p=thirdparty%2Fapache%2Fhttpd.git Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However, we do not allow for the total bogusness of values for C-L, just this one special case. IMO a C-L field of "iloveyou" is bogus as is one of "123yabbadabbado", which older versions appear to have allowed (and in the 1st case, assume 0 and in the 2nd assume 123). Didn't make sense to make this runtime, but a documented special case instead. PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@95986 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index 36e78d69299..b04792e4e52 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,13 @@ Changes with Apache 1.3.27 + *) In 1.3.26, a null or all blank Content-Length field would be + triggered as an error; previous versions would silently ignore + this and assume 0. As a special case, we now allow this and + behave as we previously did. HOWEVER, previous versions would + also silently accept bogus C-L values; We do NOT do that. That + *is* an invalid value and we treat it as such. + [Jim Jagielski] + *) Add ProtocolReqCheck directive, which determines if Apache will check for a valid protocol string in the request (eg: HTTP/1.1) and return HTTP_BAD_REQUEST if not valid. Versions of Apache diff --git a/src/main/http_protocol.c b/src/main/http_protocol.c index e497bbbaa94..99a385e8b80 100644 --- a/src/main/http_protocol.c +++ b/src/main/http_protocol.c @@ -2011,10 +2011,16 @@ API_EXPORT(int) ap_setup_client_block(request_rec *r, int read_policy) const char *pos = lenp; int conversion_error = 0; - while (ap_isdigit(*pos) || ap_isspace(*pos)) + while (ap_isspace(*pos)) ++pos; if (*pos == '\0') { + /* special case test - a C-L field NULL or all blanks is + * assumed OK and defaults to 0. Otherwise, we do a + * strict check of the field */ + r->remaining = 0; + } + else { char *endstr; errno = 0; r->remaining = ap_strtol(lenp, &endstr, 10); @@ -2023,7 +2029,7 @@ API_EXPORT(int) ap_setup_client_block(request_rec *r, int read_policy) } } - if (*pos != '\0' || conversion_error) { + if (conversion_error) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "Invalid Content-Length"); return HTTP_BAD_REQUEST;