From 760d584e2bbb83ff8fd6c2b459cd46991768b812 Mon Sep 17 00:00:00 2001
From: Daniel Gruno <humbedooh@apache.org>
Date: Thu, 27 Feb 2014 19:10:55 +0000
Subject: [PATCH] mod_lua: Only read up to whatever the user defines as max
 size when using r:parsebody() - if content length is greater, return an
 error.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1572703 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/lua/lua_request.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 78bed5b017..c6ec52441b 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+#include <mod_core.h>
+
 #include "mod_lua.h"
 #include "lua_apr.h"
 #include "lua_dbd.h"
@@ -228,7 +230,8 @@ static int req_aprtable2luatable_cb_len(void *l, const char *key,
     requests. Used for multipart POST data.
  =======================================================================================================================
  */
-static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size)
+static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
+        apr_off_t *maxsize)
 {
     int rc = OK;
 
@@ -243,6 +246,9 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size)
         apr_off_t length = r->remaining;
         /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
 
+        if (maxsize != 0 && length > maxsize) {
+            return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
+        }
         *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
         *size = length;
         while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) {
@@ -336,7 +342,7 @@ static int req_parsebody(lua_State *L)
         int         i;
         size_t      vlen = 0;
         size_t      len = 0;
-        if (lua_read_body(r, &data, (apr_off_t*) &size) != OK) {
+        if (lua_read_body(r, &data, (apr_off_t*) &size, max_post_size) != OK) {
             return 2;
         }
         len = strlen(multipart);
@@ -411,7 +417,7 @@ static int lua_ap_requestbody(lua_State *L)
         if (!filename) {
             const char     *data;
 
-            if (lua_read_body(r, &data, &size) != OK)
+            if (lua_read_body(r, &data, &size, maxSize) != OK)
                 return (0);
 
             lua_pushlstring(L, data, (size_t) size);
-- 
2.40.0