core: Avoid a possible truncation of the faulty header included in the

author Yann Ylavic <ylavic@apache.org>

Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)

committer Yann Ylavic <ylavic@apache.org>

Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)
author Yann Ylavic <ylavic@apache.org>
Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)
committer Yann Ylavic <ylavic@apache.org>
Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)
diff --git a/CHANGES b/CHANGES

index 88db7237d582febe6b57599e60daedaa7f6052f3..61b94cfc6e7b26b453c3d581f0055f7438fe5b5e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
    *) core: Don't lowercase the argument to SetHandler if it begins with
       "proxy:unix". PR 57968. [Eric Covener]
  
diff --git a/server/protocol.c b/server/protocol.c

index 5759f69afac54aac5489daedb004b75786c2a434..d6623cf04f319b68983d5f72ed2477966e4cc285 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -796,7 +796,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
               */
              if (rv == APR_ENOSPC) {
                  const char *field_escaped;
-                if (field) {
+                if (field && len) {
                      /* ensure ap_escape_html will terminate correctly */
                      field[len - 1] = '\0';
                      field_escaped = ap_escape_html(r->pool, field);
@@ -832,18 +832,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                  apr_size_t fold_len = last_len + len + 1; /* trailing null */
  
                  if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
+                    const char *field_escaped;
+
                      r->status = HTTP_BAD_REQUEST;
                      /* report what we have accumulated so far before the
                       * overflow (last_field) as the field with the problem
                       */
+                    field_escaped = ap_escape_html(r->pool, last_field);
                      apr_table_setn(r->notes, "error-notes",
                                     apr_psprintf(r->pool,
                                                 "Size of a request header field "
                                                 "after folding "
                                                 "exceeds server limit.<br />\n"
                                                 "<pre>\n%.*s\n</pre>\n", 
-                                               field_name_len(last_field), 
-                                               ap_escape_html(r->pool, last_field)));
+                                               field_name_len(field_escaped), 
+                                               field_escaped));
                      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562)
                                    "Request header exceeds LimitRequestFieldSize "
                                    "after folding: %.*s",
author	Yann Ylavic <ylavic@apache.org>
	Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Tue, 2 Jun 2015 14:49:32 +0000 (14:49 +0000)
CHANGES		patch \| blob \| history
server/protocol.c		patch \| blob \| history