Merge r1688536 and r1688538 from trunk. (9cc6534f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

STATUS

+0 −8

Original line number	Diff line number	Diff line
		@@ -101,14 +101,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) http: follow up to r1686271 (trunk) => r1686271 (2.4.x)
		Handle reentrance of state BODY_CHUNK_CR to avoid AH02901 when we eat
		BWS from multiple reads, and limit number of chunk-BWS to 10.
		trunk patch: http://svn.apache.org/r1688536
		http://svn.apache.org/r1688538
		2.2.x patch: trunk works
		+1: ylavic, wrowe, mrumph


		PATCHES PROPOSED TO BACKPORT FROM TRUNK:
		[ New proposals should be added at the end of the list ]

+8 −0

Original line number	Diff line number	Diff line
		@@ -62,6 +62,7 @@ typedef struct http_filter_ctx
		apr_off_t limit;
		apr_off_t limit_used;
		apr_int32_t chunk_used;
		apr_int32_t chunk_bws;
		apr_int32_t chunkbits;
		enum
		{
		@@ -174,6 +175,7 @@ static apr_status_t parse_chunk_size(http_ctx_t ctx, const char buffer,
		ctx->remaining = 0;
		ctx->chunkbits = sizeof(apr_off_t) * 8;
		ctx->chunk_used = 0;
		ctx->chunk_bws = 0;
		}

		if (c == LF) {
		@@ -205,7 +207,12 @@ static apr_status_t parse_chunk_size(http_ctx_t ctx, const char buffer,
		}
		}
		else if (c == ' ' \|\| c == '\t') {
		/* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
		*/
		ctx->state = BODY_CHUNK_CR;
		if (++ctx->chunk_bws > 10) {
		return APR_EINVAL;
		}
		}
		else if (ctx->state == BODY_CHUNK_CR) {
		/*
		@@ -483,6 +490,7 @@ apr_status_t ap_http_filter(ap_filter_t f, apr_bucket_brigade b,
		case BODY_CHUNK:
		case BODY_CHUNK_PART:
		case BODY_CHUNK_EXT:
		case BODY_CHUNK_CR:
		case BODY_CHUNK_LF:
		case BODY_CHUNK_END:
		case BODY_CHUNK_END_LF: {