From 29525f5d2c0514611cb8c5b616fd88d6fc0ce6a0 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Tue, 2 Mar 2010 04:46:13 +0000
Subject: [PATCH] SECURITY: CVE-2010-0408 (cve.mitre.org)

mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent after
request headers indicate a request body is incoming; this is not a case of
HTTP_INTERNAL_SERVER_ERROR.

Submitted by: Niku Toivola <niku.toivola sulake.com>
Reviewed by: rpluem, jim, wrowe



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@917875 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/proxy/mod_proxy_ajp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index 635ba32a89..0f5674cbec 100644
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -257,7 +257,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                          "proxy: ap_get_brigade failed");
             apr_brigade_destroy(input_brigade);
-            return HTTP_INTERNAL_SERVER_ERROR;
+            return HTTP_BAD_REQUEST;
         }
 
         /* have something */
-- 
2.40.0