From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 30 Jun 2020 16:05:56 +0000 (+0000)
Subject: Follow up to r1877955: don't reuse the connection for mixed C-L / T-E requests
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1311
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7972307ee1c89e6efe8091e332a4f618b7d5d43;p=thirdparty%2Fapache%2Fhttpd.git

Follow up to r1877955: don't reuse the connection for mixed C-L / T-E requests

Disable keepalive on the connection if we received both Content-Length and
chunked Transfer-Encoding in the request, to avoid confusion with front
intermediaries and potential further request/response splitting.

This is what we do already for mod_proxy backend connections in the same case.

While at it, replace draft httpbis links with final RFC7230's.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879373 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/protocol.c b/server/protocol.c
index b1f1974cf88..626560a64f6 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -1534,7 +1534,7 @@ request_rec *ap_read_request(conn_rec *conn)
 
         tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
         if (tenc) {
-            /* http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-23
+            /* https://tools.ietf.org/html/rfc7230
              * Section 3.3.3.3: "If a Transfer-Encoding header field is
              * present in a request and the chunked transfer coding is not
              * the final encoding ...; the server MUST respond with the 400
@@ -1548,13 +1548,20 @@ request_rec *ap_read_request(conn_rec *conn)
                 goto die_unusable_input;
             }
 
-            /* http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-23
+            /* https://tools.ietf.org/html/rfc7230
              * Section 3.3.3.3: "If a message is received with both a
              * Transfer-Encoding and a Content-Length header field, the
              * Transfer-Encoding overrides the Content-Length. ... A sender
              * MUST remove the received Content-Length field".
              */
-            apr_table_unset(r->headers_in, "Content-Length");
+            if (clen) {
+                apr_table_unset(r->headers_in, "Content-Length");
+
+                /* Don't reuse this connection anyway to avoid confusion with
+                 * intermediaries and request/reponse spltting.
+                 */
+                conn->keepalive = AP_CONN_CLOSE;
+            }
         }
     }