From: Stefan Fritsch <sf@apache.org>
Date: Sat, 14 May 2011 20:58:20 +0000 (+0000)
Subject: If chunked encoding / content-length are corrupt, we may treat parts
X-Git-Tag: 2.3.13~135
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3867aa9ef445e6937863c39cc15254b96abc4ef4;p=apache

If chunked encoding / content-length are corrupt, we may treat parts
of one request's body as the next one's headers. To be safe, we should
disable keep-alive in this case.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1103223 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 9b6334d559..5e7abefd95 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -78,6 +78,7 @@ typedef struct http_filter_ctx {
     apr_bucket_brigade *bb;
 } http_ctx_t;
 
+/* bail out if some error in the HTTP input filter happens */
 static apr_status_t bail_out_on_error(http_ctx_t *ctx,
                                       ap_filter_t *f,
                                       int http_error)
@@ -93,6 +94,11 @@ static apr_status_t bail_out_on_error(http_ctx_t *ctx,
     e = apr_bucket_eos_create(f->c->bucket_alloc);
     APR_BRIGADE_INSERT_TAIL(bb, e);
     ctx->eos_sent = 1;
+    /* If chunked encoding / content-length are corrupt, we may treat parts
+     * of this request's body as the next one's headers.
+     * To be safe, disable keep-alive.
+     */
+    f->r->connection->keepalive = AP_CONN_CLOSE;
     return ap_pass_brigade(f->r->output_filters, bb);
 }