From: Yann Ylavic Date: Fri, 3 Jul 2015 00:28:08 +0000 (+0000) Subject: Merge r1688274 from trunk. X-Git-Tag: 2.4.16~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba3ddaeb073089755f69d65db186a1e14be5748e;p=thirdparty%2Fapache%2Fhttpd.git Merge r1688274 from trunk. http: Fix LimitRequestBody checks when there is no more bytes to read. Submitted by: Michael Kaufmann Committed by: ylavic Reviewed by: ylavic, mrumph, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1688935 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index c270e426717..792e5e615c0 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changes with Apache 2.4.16 + *) http: Fix LimitRequestBody checks when there is no more bytes to read. + [Michael Kaufmann ] Changes with Apache 2.4.15 diff --git a/STATUS b/STATUS index 0f2ac6033c4..925a693e081 100644 --- a/STATUS +++ b/STATUS @@ -119,13 +119,6 @@ RELEASE SHOWSTOPPERS: race to 3 +1's] [docs/manual .xml's require 'build all' regeneration] - *) http: Fix LimitRequestBody checks when there is no more bytes to read. - [Michael Kaufmann ] - trunk patch: http://svn.apache.org/r1688274 - 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-fix_LimitRequestBody.patch - (modulo CHANGES, patch needed because of bail_out_on_error) - +1: ylavic, mrumph, wrowe - PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c index 70b5484b837..46e9022d954 100644 --- a/modules/http/http_filters.c +++ b/modules/http/http_filters.c @@ -321,7 +321,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, apr_bucket *e; http_ctx_t *ctx = f->ctx; apr_status_t rv; - apr_off_t totalread; int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; apr_bucket_brigade *bb; int again; @@ -557,6 +556,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, readbytes = ctx->remaining; } if (readbytes > 0) { + apr_off_t totalread; rv = ap_get_brigade(f->next, b, mode, block, readbytes); @@ -599,6 +599,24 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, } } + /* We have a limit in effect. */ + if (ctx->limit) { + /* FIXME: Note that we might get slightly confused on + * chunked inputs as we'd need to compensate for the chunk + * lengths which may not really count. This seems to be up + * for interpretation. + */ + ctx->limit_used += totalread; + if (ctx->limit < ctx->limit_used) { + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, + APLOGNO(01591) "Read content length of " + "%" APR_OFF_T_FMT " is larger than the " + "configured limit of %" APR_OFF_T_FMT, + ctx->limit_used, ctx->limit); + return bail_out_on_error(ctx, f, + HTTP_REQUEST_ENTITY_TOO_LARGE); + } + } } /* If we have no more bytes remaining on a C-L request, @@ -610,21 +628,6 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b, ctx->eos_sent = 1; } - /* We have a limit in effect. */ - if (ctx->limit) { - /* FIXME: Note that we might get slightly confused on chunked inputs - * as we'd need to compensate for the chunk lengths which may not - * really count. This seems to be up for interpretation. */ - ctx->limit_used += totalread; - if (ctx->limit < ctx->limit_used) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, f->r, APLOGNO(01591) - "Read content-length of %" APR_OFF_T_FMT - " is larger than the configured limit" - " of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit); - return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE); - } - } - break; } case BODY_CHUNK_TRAILER: {