core: Avoid a possible truncation of the faulty header included in the

HTML response when LimitRequestFieldSize is reached.

Submitted by: ylavic
Backports: 1683123
Reviewed by: jailletc36, ylavic, covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689961 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index deffbee9b331978f4d24dfa6b3fb74eb714c472e..63f64e8178f72e83f52533ac95cc66365cc8ab6a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,9 @@ Changes with Apache 2.4.16
      with the timeouts computed for subsequent requests.  PR 56729.
      [Eric Covener, Yann Ylavic]
 
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
 Changes with Apache 2.4.15
 
   *) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol

diff --git a/STATUS b/STATUS
index eddb3d57c13ea82fbc77c2df6e48bff48c1cb2cc..bd4cdafe7c5d110ba98d8c8ea099209d78bd77f7 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -108,12 +108,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) core: Avoid a possible truncation of the faulty header included in the
-     HTML response when LimitRequestFieldSize is reached.
-     trunk patch: http://svn.apache.org/r1683123
-     2.4.x patch: trunk works (modulo CHANGES)
-     +1: jailletc36, ylavic, covener
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/server/protocol.c b/server/protocol.c
index a8c1d6829b03f75af142d8a35a130e4253b18199..8ebf4f41f6324b8ae1c52ba9d18aea10acc62b73 100644 (file)
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -729,7 +729,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
              */
             if (rv == APR_ENOSPC) {
                 const char *field_escaped;
-                if (field) {
+                if (field && len) {
                     /* ensure ap_escape_html will terminate correctly */
                     field[len - 1] = '\0';
                     field_escaped = ap_escape_html(r->pool, field);
@@ -765,18 +765,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                 apr_size_t fold_len = last_len + len + 1; /* trailing null */
 
                 if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
+                    const char *field_escaped;
+
                     r->status = HTTP_BAD_REQUEST;
                     /* report what we have accumulated so far before the
                      * overflow (last_field) as the field with the problem
                      */
+                    field_escaped = ap_escape_html(r->pool, last_field);
                     apr_table_setn(r->notes, "error-notes",
                                    apr_psprintf(r->pool,
                                                "Size of a request header field "
                                                "after folding "
                                                "exceeds server limit.<br />\n"
                                                "<pre>\n%.*s\n</pre>\n", 
-                                               field_name_len(last_field), 
-                                               ap_escape_html(r->pool, last_field)));
+                                               field_name_len(field_escaped), 
+                                               field_escaped));
                     ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562)
                                   "Request header exceeds LimitRequestFieldSize "
                                   "after folding: %.*s",