From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 2 Jun 2015 14:49:32 +0000 (+0000)
Subject: core: Avoid a possible truncation of the faulty header included in the
X-Git-Tag: 2.5.0-alpha~3105
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=30c166fcb2d6627c1b7a2618ad1c7edf22655b3a;p=apache

core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1683123 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 88db7237d5..61b94cfc6e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
   *) core: Don't lowercase the argument to SetHandler if it begins with
      "proxy:unix". PR 57968. [Eric Covener]
 
diff --git a/server/protocol.c b/server/protocol.c
index 5759f69afa..d6623cf04f 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -796,7 +796,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
              */
             if (rv == APR_ENOSPC) {
                 const char *field_escaped;
-                if (field) {
+                if (field && len) {
                     /* ensure ap_escape_html will terminate correctly */
                     field[len - 1] = '\0';
                     field_escaped = ap_escape_html(r->pool, field);
@@ -832,18 +832,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
                 apr_size_t fold_len = last_len + len + 1; /* trailing null */
 
                 if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {
+                    const char *field_escaped;
+
                     r->status = HTTP_BAD_REQUEST;
                     /* report what we have accumulated so far before the
                      * overflow (last_field) as the field with the problem
                      */
+                    field_escaped = ap_escape_html(r->pool, last_field);
                     apr_table_setn(r->notes, "error-notes",
                                    apr_psprintf(r->pool,
                                                "Size of a request header field "
                                                "after folding "
                                                "exceeds server limit.<br />\n"
                                                "<pre>\n%.*s\n</pre>\n", 
-                                               field_name_len(last_field), 
-                                               ap_escape_html(r->pool, last_field)));
+                                               field_name_len(field_escaped), 
+                                               field_escaped));
                     ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00562)
                                   "Request header exceeds LimitRequestFieldSize "
                                   "after folding: %.*s",