http: follow up to r1685345.

Be lenient up to 10 (room for 32bit decimals) Bad White Spaces (BWS)
between chunk-size and chunk-ext/CRLF.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1688538 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 49c8870e43dd1c513ebe277465e8f809d1c36807..4304afa3a1132e3494bf59644714a96fa6b69539 100644 (file)
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -63,6 +63,7 @@ typedef struct http_filter_ctx
     apr_off_t limit;
     apr_off_t limit_used;
     apr_int32_t chunk_used;
+    apr_int32_t chunk_bws;
     apr_int32_t chunkbits;
     enum
     {
@@ -133,6 +134,7 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             ctx->remaining = 0;
             ctx->chunkbits = sizeof(apr_off_t) * 8;
             ctx->chunk_used = 0;
+            ctx->chunk_bws = 0;
         }
 
         if (c == LF) {
@@ -164,7 +166,12 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             }
         }
         else if (c == ' ' || c == '\t') {
+            /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
+             */
             ctx->state = BODY_CHUNK_CR;
+            if (++ctx->chunk_bws > 10) {
+                return APR_EINVAL;
+            }
         }
         else if (ctx->state == BODY_CHUNK_CR) {
             /*