when len == 0.
Backport of r1358061 from trunk.
Submitted by: Jim Meyering <meyering redhat.com>
Reviewed by: jorton, trawick, rjung
Backported by: rjung
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1364270 13f79535-47bb-0310-9956-
ffa450edef68
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+ *) mpm_ssl: Fix handling of empty response from OCSP server.
+ [Jim Meyering <meyering redhat.com>, Joe Orton]
+
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
*) mod_authz_core: If an expression in "Require expr" returns denied and
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: fix OCSP EOL handling
- trunk patch: http://svn.apache.org/viewvc?rev=1358061&view=rev
- 2.4.x patch: trunk patch works
- +1: jorton, trawick, rjung
-
* core: log value of Status line in script responses instead of header name
trunk patch: http://svn.apache.org/viewvc?rev=1362538&view=rev
2.4.x patch: trunk patch works
return NULL;
}
- if (len && line[len-1] != APR_ASCII_LF) {
+ if (len == 0) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(02321)
+ "empty response from OCSP server");
+ return NULL;
+ }
+
+ if (line[len-1] != APR_ASCII_LF) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01979)
"response header line too long from OCSP server");
return NULL;