From: Stefan Fritsch <sf@apache.org>
Date: Sun, 24 Oct 2010 08:32:10 +0000 (+0000)
Subject: If an unknown Content-* header is received for a PUT request, we must not
X-Git-Tag: 2.3.9~228
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a1662e0f4149e38f977258c492bd8263da2ec3d7;p=thirdparty%2Fapache%2Fhttpd.git

If an unknown Content-* header is received for a PUT request, we must not
ignore it but reply with 501 per RFC 2616 9.6.

PR: 42978


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026746 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 2bb6fca7471..2cd6e4dbb32 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
+     request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
+
   *) mod_dav: Send 400 error if malformed Content-Range header is received for
      a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
 
diff --git a/STATUS b/STATUS
index 61aa891b5b5..ac286c45bf1 100644
--- a/STATUS
+++ b/STATUS
@@ -142,7 +142,7 @@ RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
   * RFC 2616 violations.
     Closed PRs: 15852, 15857, 15859, 15861, 15864, 15869, 15870, 16120,
                 16125, 16135, 16136, 16137, 16138, 16139, 16140, 16518,
-                16520, 49825 
+                16520, 42978, 49825
     Open PRs:   15865, 15866, 15868, 16126, 16133, 16142, 16521
     jerenkrantz says: need to decide how many we need to backport and/or
                       if these rise to showstopper status.
diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 42d3abaa751..ec154cd2b2b 100644
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -802,6 +802,30 @@ static int dav_parse_range(request_rec *r,
     return 1;
 }
 
+static const char *dav_validate_content_headers(request_rec *r)
+{
+    int i, prefix_len = strlen("content-");
+    const apr_array_header_t *arr = apr_table_elts(r->headers_in);
+    const apr_table_entry_t *elts = (const apr_table_entry_t *)arr->elts;
+
+    for (i = 0; i < arr->nelts; ++i) {
+         if (elts[i].key == NULL)
+             continue;
+         if (strncasecmp(elts[i].key, "content-", prefix_len) == 0
+             && strcasecmp(elts[i].key + prefix_len, "length") != 0
+             && strcasecmp(elts[i].key + prefix_len, "range") != 0
+             /* Content-Location may be ignored per RFC 2616 14.14 */
+             && strcasecmp(elts[i].key + prefix_len, "location") != 0
+             && strcasecmp(elts[i].key + prefix_len, "type") != 0)
+         {
+             /* XXX: content-md5? content-language? content-encoding? */
+             return apr_psprintf(r->pool, "Support for %s is not implemented.",
+                                 ap_escape_html(r->pool, elts[i].key));
+         }
+    }
+    return NULL;
+}
+
 /* handle the GET method */
 static int dav_method_get(request_rec *r)
 {
@@ -949,6 +973,14 @@ static int dav_method_put(request_rec *r)
         mode = DAV_MODE_WRITE_TRUNC;
     }
 
+    if ((body = dav_validate_content_headers(r)) != NULL) {
+        /* RFC 2616 9.6: We must not ignore any Content-* headers we do not
+         * understand.
+         * XXX: Relax this for HTTP 1.0 requests?
+         */
+        return dav_error_response(r, HTTP_NOT_IMPLEMENTED, body);
+    }
+
     /* make sure the resource can be modified (if versioning repository) */
     if ((err = dav_auto_checkout(r, resource,
                                  0 /* not parent_only */,