Commit 0e6b6d52 authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

Backports: r1683123 

Submitted by: ylavic
core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached.




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict@1775769 13f79535-47bb-0310-9956-ffa450edef68
parent 9523b04f

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -10,6 +10,9 @@ Changes with Apache 2.2.32 
  *) core: Enforce LimitRequestFieldSize after multiple headers with the same

     name have been merged. [Stefan Fritsch]



  *) core: Avoid a possible truncation of the faulty header included in the

     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]



Changes with Apache 2.2.31



  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.

server/protocol.c

+7 −4
Original line number Diff line number Diff line
@@ -738,7 +738,7 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb 
             */

            if (rv == APR_ENOSPC) {

                const char *field_escaped;

                if (field) {

                if (field && len) {

                    /* ensure ap_escape_html will terminate correctly */

                    field[len - 1] = '\0';

                    field_escaped = ap_escape_html(r->pool, field);
@@ -777,18 +777,21 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb 
                apr_size_t fold_len = last_len + len + 1; /* trailing null */



                if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) {

                    const char *field_escaped;



                    r->status = HTTP_BAD_REQUEST;

                    /* report what we have accumulated so far before the

                     * overflow (last_field) as the field with the problem

                     */

                    field_escaped = ap_escape_html(r->pool, last_field);

                    apr_table_setn(r->notes, "error-notes",

                                   apr_psprintf(r->pool,

                                               "Size of a request header field "

                                               "after folding "

                                               "exceeds server limit.<br />\n"

                                               "<pre>\n%.*s\n</pre>\n", 

                                               field_name_len(last_field),

                                               ap_escape_html(r->pool, last_field)));

                                               field_name_len(field_escaped), 

                                               field_escaped));

                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,

                                  "Request header exceeds LimitRequestFieldSize "

                                  "after folding: %.*s",