You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2011/08/13 11:59:43 UTC

svn commit: r1157362 - in /httpd/httpd/trunk/server: util_expr_eval.c util_expr_parse.y util_expr_scan.l

Author: sf
Date: Sat Aug 13 09:59:43 2011
New Revision: 1157362

URL: http://svn.apache.org/viewvc?rev=1157362&view=rev
Log:
Do proper length checks in the expression scanner. This allows to remove the
8K length limit for expressions. Strings/Regexs in an expression are still
limited to 8K, though.

Modified:
    httpd/httpd/trunk/server/util_expr_eval.c
    httpd/httpd/trunk/server/util_expr_parse.y
    httpd/httpd/trunk/server/util_expr_scan.l

Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Sat Aug 13 09:59:43 2011
@@ -318,15 +318,6 @@ AP_DECLARE(const char *) ap_expr_parse(a
     ctx.lookup_fn   = lookup_fn ? lookup_fn : ap_expr_lookup_default;
     ctx.at_start    = 1;
 
-
-    /*
-     * Be sure to avoid overflows in the scanner. In practice the input length
-     * will be limited by the config file parser, anyway.
-     * XXX: The scanner really should do proper buffer overflow checks
-     */
-    if (ctx.inputlen >= MAX_STRING_LEN)
-        return "Expression too long";
-
     ap_expr_yylex_init(&ctx.scanner);
     ap_expr_yyset_extra(&ctx, ctx.scanner);
     rc = ap_expr_yyparse(&ctx);

Modified: httpd/httpd/trunk/server/util_expr_parse.y
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_parse.y?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_parse.y (original)
+++ httpd/httpd/trunk/server/util_expr_parse.y Sat Aug 13 09:59:43 2011
@@ -152,6 +152,7 @@ words     : word                        
 
 string    : string strpart               { $$ = ap_expr_make(op_Concat, $1, $2, ctx); }
           | strpart                      { $$ = $1; }
+          | T_ERROR                      { YYABORT; }
           ;
 
 strpart   : T_STRING                     { $$ = ap_expr_make(op_String, $1, NULL, ctx); }

Modified: httpd/httpd/trunk/server/util_expr_scan.l
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_scan.l?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_scan.l (original)
+++ httpd/httpd/trunk/server/util_expr_scan.l Sat Aug 13 09:59:43 2011
@@ -60,12 +60,18 @@
 
 #define YY_EXTRA_TYPE ap_expr_parse_ctx_t*
 
-#define PERROR(msg) yyextra->error2 = msg ; return T_ERROR;
+#define PERROR(msg) do { yyextra->error2 = msg ; return T_ERROR; } while (0)
 
 #define str_ptr     (yyextra->scan_ptr)
 #define str_buf     (yyextra->scan_buf)
 #define str_del     (yyextra->scan_del)
 
+#define STR_APPEND(c) do {                          \
+        *str_ptr++ = (c);                           \
+        if (str_ptr >= str_buf + sizeof(str_buf))   \
+            PERROR("String too long");              \
+    } while (0)
+
 %}
 
 
@@ -126,7 +132,7 @@
         }
     }
     else {
-        *str_ptr++ = yytext[0];
+        STR_APPEND(yytext[0]);
     }
 }
 <str,var,vararg>\n {
@@ -156,20 +162,18 @@
         PERROR("Escape sequence out of bound");
     }
     else {
-        *str_ptr++ = result;
+        STR_APPEND(result);
     }
 }
 <str,vararg>\\[0-9]+ {
     PERROR("Bad escape sequence");
 }
-<str,vararg>\\n { *str_ptr++ = '\n'; }
-<str,vararg>\\r { *str_ptr++ = '\r'; }
-<str,vararg>\\t { *str_ptr++ = '\t'; }
-<str,vararg>\\b { *str_ptr++ = '\b'; }
-<str,vararg>\\f { *str_ptr++ = '\f'; }
-<str,vararg>\\(.|\n) {
-    *str_ptr++ = yytext[1];
-}
+<str,vararg>\\n      { STR_APPEND('\n'); }
+<str,vararg>\\r      { STR_APPEND('\r'); }
+<str,vararg>\\t      { STR_APPEND('\t'); }
+<str,vararg>\\b      { STR_APPEND('\b'); }
+<str,vararg>\\f      { STR_APPEND('\f'); }
+<str,vararg>\\(.|\n) { STR_APPEND(yytext[1]); }
 
  /* regexp backref inside string/arg */
 <str,vararg>[$][0-9] {
@@ -189,8 +193,10 @@
 
 <str,vararg>[^\\\n"'%}$]+ {
     char *cp = yytext;
-    while (*cp != '\0')
-        *str_ptr++ = *cp++;
+    while (*cp != '\0') {
+        STR_APPEND(*cp);
+        cp++;
+    }
 }
 
  /* variable inside string/arg */
@@ -210,11 +216,11 @@
 }
 
 <vararg>[%$] {
-     *str_ptr++ = yytext[0];
+     STR_APPEND(yytext[0]);
 }
 
 <str>[%}$] {
-     *str_ptr++ = yytext[0];
+     STR_APPEND(yytext[0]);
 }
 
 %\{ {
@@ -286,6 +292,8 @@
     }
     else {
         *regex_ptr++ = yytext[0];
+        if (regex_ptr >= regex_buf + sizeof(regex_buf))
+            PERROR("Regexp too long");
     }
 }
 <regex_flags>i {