From 771d2e83a61e17231ca3d822b15979565ef2b0ab Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Thu, 9 Jan 2014 14:29:47 +0000 Subject: [PATCH] Merge r1556428 from trunk: SECURITY: CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. * modules/dav/main/util.c (dav_xml_get_cdata): reduce len variable when increasing cdata pointer. Submitted by: Amin Tora Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1556816 13f79535-47bb-0310-9956-ffa450edef68 --- STATUS | 4 ---- modules/dav/main/util.c | 4 +++- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/STATUS b/STATUS index 8003e061bd..cac3167362 100644 --- a/STATUS +++ b/STATUS @@ -104,10 +104,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 2.4.x patch: trunk works, + CHANGES +1: covener, druggeri, trawick - * mod_dav: Fix string length calculation in dav_xml_get_cdata() - trunk patch: https://svn.apache.org/r1556428 - 2.4.x: trunk patch applies aka `svn merge -c 1556428 ^/httpd/httpd/trunk` - +1: breser, trawick, covener PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 1f393401b2..4e85a04f06 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -396,8 +396,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t if (strip_white) { /* trim leading whitespace */ - while (apr_isspace(*cdata)) /* assume: return false for '\0' */ + while (apr_isspace(*cdata)) { /* assume: return false for '\0' */ ++cdata; + --len; + } /* trim trailing whitespace */ while (len-- > 0 && apr_isspace(cdata[len])) -- 2.40.0