From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 8 Jul 2015 08:59:36 +0000 (+0000)
Subject: Merge r1688536 and r1688538 from trunk.
X-Git-Tag: 2.4.16~13
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=12211288321398f69800b622cbeaba45640df753;p=apache

Merge r1688536 and r1688538 from trunk.

http: follow up to r1685345, also needed in 2.4.x/2.2.x by r1686271/r1687339.
Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat BWS
from multiple reads.

http: follow up to r1685345.
Be lenient up to 10 (room for 32bit decimals) Bad White Spaces (BWS)
between chunk-size and chunk-ext/CRLF.

Submitted by: ylavic
Reviewed by: ylavic, jim, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1689821 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 01cca1772e..e0554b8568 100644
--- a/STATUS
+++ b/STATUS
@@ -108,14 +108,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) http: follow up to r1686271 (trunk) => r1686271 (2.4.x)
-     Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat
-     BWS from multiple reads, and limit number of chunk-BWS to 10.
-     trunk patch: http://svn.apache.org/r1688536
-                  http://svn.apache.org/r1688538
-     2.4.x patch: trunk works
-     +1: ylavic, jim, wrowe
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 46e9022d95..ed8749f996 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -63,6 +63,7 @@ typedef struct http_filter_ctx
     apr_off_t limit;
     apr_off_t limit_used;
     apr_int32_t chunk_used;
+    apr_int32_t chunk_bws;
     apr_int32_t chunkbits;
     enum
     {
@@ -175,6 +176,7 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             ctx->remaining = 0;
             ctx->chunkbits = sizeof(apr_off_t) * 8;
             ctx->chunk_used = 0;
+            ctx->chunk_bws = 0;
         }
 
         if (c == LF) {
@@ -206,7 +208,12 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             }
         }
         else if (c == ' ' || c == '\t') {
+            /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
+             */
             ctx->state = BODY_CHUNK_CR;
+            if (++ctx->chunk_bws > 10) {
+                return APR_EINVAL;
+            }
         }
         else if (ctx->state == BODY_CHUNK_CR) {
             /*
@@ -484,6 +491,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
         case BODY_CHUNK:
         case BODY_CHUNK_PART:
         case BODY_CHUNK_EXT:
+        case BODY_CHUNK_CR:
         case BODY_CHUNK_LF:
         case BODY_CHUNK_END:
         case BODY_CHUNK_END_LF: {