From 7716d3c3e3a335829c7256c8fd708923cf79a3e8 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Thu, 10 Jun 2010 03:02:07 +0000
Subject: [PATCH] Drop ap_body_to_table due to missing constraints; a DoS
 waiting for an exploit.

Some mod_lua fan aught to revisit this and provide a sensible
implementation.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@953203 13f79535-47bb-0310-9956-ffa450edef68
---
 include/ap_mmn.h          |  4 +-
 include/util_script.h     |  2 -
 modules/lua/lua_request.c | 15 --------
 modules/lua/mod_lua.c     |  2 +-
 server/util_script.c      | 80 ---------------------------------------
 5 files changed, 3 insertions(+), 100 deletions(-)

diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index f3b13c31f2..d296c2c205 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -227,13 +227,13 @@
  *                         Introduce per-module loglevels
  * 20100606.1 (2.3.6-dev)  Added extended timestamp formatting via
  *                         ap_recent_ctime_ex().
- *
+ * 20100609.0 (2.3.6-dev)  Dropped ap_args_to_table due to missing constraints.
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100606
+#define MODULE_MAGIC_NUMBER_MAJOR 20100609
 #endif
 #define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
 
diff --git a/include/util_script.h b/include/util_script.h
index fe638ee07b..924dd14256 100644
--- a/include/util_script.h
+++ b/include/util_script.h
@@ -142,8 +142,6 @@ AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
 
 AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);
 
-AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table);
-    
 #ifdef __cplusplus
 }
 #endif
diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
index 447de083a6..c76762a975 100644
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -189,19 +189,6 @@ static int req_write(lua_State *L)
     return 0;
 }
 
-/* r:parsebody() */
-static int req_parsebody(lua_State *L)
-{
-    apr_table_t *form_table;
-    request_rec *r = ap_lua_check_request_rec(L, 1);
-    lua_newtable(L);
-    lua_newtable(L);
-    if (ap_body_to_table(r, &form_table) == APR_SUCCESS) {
-        apr_table_do(req_aprtable2luatable_cb, L, form_table, NULL);
-    }
-    return 2;
-}
-
 /* r:addoutputfilter(name|function) */
 static int req_add_output_filter(lua_State *L)
 {
@@ -538,8 +525,6 @@ AP_LUA_DECLARE(void) ap_lua_load_request_lmodule(lua_State *L, apr_pool_t *p)
                  makefun(&req_document_root, APL_REQ_FUNTYPE_STRING, p));
     apr_hash_set(dispatch, "parseargs", APR_HASH_KEY_STRING,
                  makefun(&req_parseargs, APL_REQ_FUNTYPE_LUACFUN, p));
-    apr_hash_set(dispatch, "parsebody", APR_HASH_KEY_STRING,
-                 makefun(&req_parsebody, APL_REQ_FUNTYPE_LUACFUN, p));
     apr_hash_set(dispatch, "debug", APR_HASH_KEY_STRING,
                  makefun(&req_debug, APL_REQ_FUNTYPE_LUACFUN, p));
     apr_hash_set(dispatch, "info", APR_HASH_KEY_STRING,
diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
index 2c1949426c..3f088dd533 100644
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -373,7 +373,7 @@ static const char *direct_chunkreader(lua_State *lvm, void *udata,
 
     for (p = ctx->buf; isspace(*p); ++p);
     if (p[0] == '<' && p[1] == '/') {
-        int i = 0;
+        apr_size_t i = 0;
         while (i < strlen(ctx->endstr)) {
             if (tolower(p[i + 2]) != ctx->endstr[i])
                 return ctx->buf;
diff --git a/server/util_script.c b/server/util_script.c
index b518f62b69..bf70a9f0d3 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -760,83 +760,3 @@ AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table)
     argstr_to_table(apr_pstrdup(r->pool, r->args), t);
     *table = t;
 }
-
-AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table)
-{
-    apr_bucket_brigade *bb;
-    apr_bucket_brigade *tmpbb;
-    apr_status_t rv = APR_SUCCESS;
-
-    if (r->body_table) {
-        *table = r->body_table;
-        return APR_SUCCESS;
-    }
-    
-    *table = NULL;
-
-    bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
-    tmpbb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
-
-    do {
-        apr_off_t len;
-
-        rv = ap_get_brigade(r->input_filters, tmpbb, AP_MODE_READBYTES,
-                            APR_BLOCK_READ, AP_IOBUFSIZE);
-        if (rv) {
-            break;
-        }
-
-        rv = apr_brigade_length(tmpbb, 1, &len);
-        if (rv) {
-            break;
-        }
-        
-        if (len == 0) {
-            break;
-        }
-
-        APR_BRIGADE_CONCAT(bb, tmpbb);
-    } while(1);
-
-    if (!rv) {
-        r->body_table = apr_table_make(r->pool, 10);
-        
-        if (!APR_BRIGADE_EMPTY(bb)) {
-            char *buffer;
-            apr_off_t len;
-            apr_pool_t *tpool;
-
-            apr_pool_create(&tpool, r->pool);
-            
-            rv = apr_brigade_length(bb, 1, &len);
-
-            if (!rv) {
-                apr_size_t total;
-                /* XXX where's our test that len fits in memory??? 
-                 * theoretically can be a large file > ram space.
-                 * need to cast len to apr_size_t but it would mask
-                 * this notable mistake
-                 */
-                buffer = apr_palloc(tpool, len+1);
-                
-                total = len+1;
-
-                rv = apr_brigade_flatten(bb, buffer, &total);
-
-                buffer[total] = '\0';
-
-                argstr_to_table(buffer, r->body_table);
-            }
-            apr_pool_destroy(tpool);
-        }
-    }
-
-    apr_brigade_destroy(bb);
-    apr_brigade_destroy(tmpbb);
-
-    *table = r->body_table;
-
-    return rv;
-}
-
-
-- 
2.40.0