From 00b86812a870cdce79979c67da544e2bbde4aa71 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 14 Jul 2005 16:17:56 +0000 Subject: [PATCH] Missed an edge case; once we know the C-L didn't match, it's time to shut down the body already. Finish reading from the client but do nothing else, returning an error. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@219057 13f79535-47bb-0310-9956-ffa450edef68 --- modules/proxy/mod_proxy_http.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 10e6ad4475..b3c33e758b 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -332,6 +332,7 @@ static apr_status_t stream_reqbody_cl(apr_pool_t *p, } apr_brigade_length(input_brigade, 1, &bytes); + bytes_streamed += bytes; /* If this brigade contains EOS, either stop or remove it. */ if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(input_brigade))) { @@ -349,6 +350,18 @@ static apr_status_t stream_reqbody_cl(apr_pool_t *p, apr_bucket_delete(e); } + /* C-L < bytes streamed?!? + * We will error out after the body is completely + * consumed, but we can't stream more bytes at the + * back end since they would in part be interpreted + * as another request! If nothing is sent, then + * just send nothing. + * + * Prevents HTTP Response Splitting. + */ + if (bytes_streamed > cl_val) + continue; + if (header_brigade) { /* we never sent the header brigade, so go ahead and * take care of that now @@ -365,8 +378,6 @@ static apr_status_t stream_reqbody_cl(apr_pool_t *p, if (status != APR_SUCCESS) { return status; } - - bytes_streamed += bytes; } while (!seen_eos); if (bytes_streamed != cl_val) { -- 2.40.0