From: Justin Erenkrantz <jerenkrantz@apache.org>
Date: Wed, 19 Feb 2003 06:50:10 +0000 (+0000)
Subject: Return 413 if chunk-ext-header is too long rather than reading from a truncated
X-Git-Tag: pre_ajp_proxy~2106
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ce66773d84bc5de96687542ee03e8bd47e9e2caa;p=apache

Return 413 if chunk-ext-header is too long rather than reading from a truncated
line.

(Previously, we'd count the unread part of the line towards the chunk.)

PR: 15857


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98727 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4bfeb323b3..4447968e53 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Return 413 if chunk-ext-header is too long rather than reading from
+     the truncated line.  PR 15857.  [Justin Erenkrantz]
+
   *) If mod_mime_magic does not know the content-type, do not attempt to
      guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]
 
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 14faecc8f2..b692e21572 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -897,6 +897,7 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
             char line[30];
             apr_bucket_brigade *bb;
             apr_size_t len = 30;
+            apr_off_t brigade_length;
 
             bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
 
@@ -904,9 +905,19 @@ apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,
                                 APR_BLOCK_READ, 0);
 
             if (rv == APR_SUCCESS) {
-                rv = apr_brigade_flatten(bb, line, &len);
+                /* We have to check the length of the brigade we got back.
+                 * We will not accept partial lines.
+                 */
+                rv = apr_brigade_length(bb, 1, &brigade_length);
+                if (rv == APR_SUCCESS
+                    && brigade_length > f->r->server->limit_req_line) {
+                    rv = APR_ENOSPC;
+                }
                 if (rv == APR_SUCCESS) {
-                    ctx->remaining = get_chunk_size(line);
+                    rv = apr_brigade_flatten(bb, line, &len);
+                    if (rv == APR_SUCCESS) {
+                        ctx->remaining = get_chunk_size(line);
+                    }
                 }
             }
             apr_brigade_cleanup(bb);