You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2011/08/13 11:59:43 UTC
svn commit: r1157362 - in /httpd/httpd/trunk/server: util_expr_eval.c
util_expr_parse.y util_expr_scan.l
Author: sf
Date: Sat Aug 13 09:59:43 2011
New Revision: 1157362
URL: http://svn.apache.org/viewvc?rev=1157362&view=rev
Log:
Do proper length checks in the expression scanner. This allows to remove the
8K length limit for expressions. Strings/Regexs in an expression are still
limited to 8K, though.
Modified:
httpd/httpd/trunk/server/util_expr_eval.c
httpd/httpd/trunk/server/util_expr_parse.y
httpd/httpd/trunk/server/util_expr_scan.l
Modified: httpd/httpd/trunk/server/util_expr_eval.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_eval.c?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_eval.c (original)
+++ httpd/httpd/trunk/server/util_expr_eval.c Sat Aug 13 09:59:43 2011
@@ -318,15 +318,6 @@ AP_DECLARE(const char *) ap_expr_parse(a
ctx.lookup_fn = lookup_fn ? lookup_fn : ap_expr_lookup_default;
ctx.at_start = 1;
-
- /*
- * Be sure to avoid overflows in the scanner. In practice the input length
- * will be limited by the config file parser, anyway.
- * XXX: The scanner really should do proper buffer overflow checks
- */
- if (ctx.inputlen >= MAX_STRING_LEN)
- return "Expression too long";
-
ap_expr_yylex_init(&ctx.scanner);
ap_expr_yyset_extra(&ctx, ctx.scanner);
rc = ap_expr_yyparse(&ctx);
Modified: httpd/httpd/trunk/server/util_expr_parse.y
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_parse.y?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_parse.y (original)
+++ httpd/httpd/trunk/server/util_expr_parse.y Sat Aug 13 09:59:43 2011
@@ -152,6 +152,7 @@ words : word
string : string strpart { $$ = ap_expr_make(op_Concat, $1, $2, ctx); }
| strpart { $$ = $1; }
+ | T_ERROR { YYABORT; }
;
strpart : T_STRING { $$ = ap_expr_make(op_String, $1, NULL, ctx); }
Modified: httpd/httpd/trunk/server/util_expr_scan.l
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_expr_scan.l?rev=1157362&r1=1157361&r2=1157362&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_expr_scan.l (original)
+++ httpd/httpd/trunk/server/util_expr_scan.l Sat Aug 13 09:59:43 2011
@@ -60,12 +60,18 @@
#define YY_EXTRA_TYPE ap_expr_parse_ctx_t*
-#define PERROR(msg) yyextra->error2 = msg ; return T_ERROR;
+#define PERROR(msg) do { yyextra->error2 = msg ; return T_ERROR; } while (0)
#define str_ptr (yyextra->scan_ptr)
#define str_buf (yyextra->scan_buf)
#define str_del (yyextra->scan_del)
+#define STR_APPEND(c) do { \
+ *str_ptr++ = (c); \
+ if (str_ptr >= str_buf + sizeof(str_buf)) \
+ PERROR("String too long"); \
+ } while (0)
+
%}
@@ -126,7 +132,7 @@
}
}
else {
- *str_ptr++ = yytext[0];
+ STR_APPEND(yytext[0]);
}
}
<str,var,vararg>\n {
@@ -156,20 +162,18 @@
PERROR("Escape sequence out of bound");
}
else {
- *str_ptr++ = result;
+ STR_APPEND(result);
}
}
<str,vararg>\\[0-9]+ {
PERROR("Bad escape sequence");
}
-<str,vararg>\\n { *str_ptr++ = '\n'; }
-<str,vararg>\\r { *str_ptr++ = '\r'; }
-<str,vararg>\\t { *str_ptr++ = '\t'; }
-<str,vararg>\\b { *str_ptr++ = '\b'; }
-<str,vararg>\\f { *str_ptr++ = '\f'; }
-<str,vararg>\\(.|\n) {
- *str_ptr++ = yytext[1];
-}
+<str,vararg>\\n { STR_APPEND('\n'); }
+<str,vararg>\\r { STR_APPEND('\r'); }
+<str,vararg>\\t { STR_APPEND('\t'); }
+<str,vararg>\\b { STR_APPEND('\b'); }
+<str,vararg>\\f { STR_APPEND('\f'); }
+<str,vararg>\\(.|\n) { STR_APPEND(yytext[1]); }
/* regexp backref inside string/arg */
<str,vararg>[$][0-9] {
@@ -189,8 +193,10 @@
<str,vararg>[^\\\n"'%}$]+ {
char *cp = yytext;
- while (*cp != '\0')
- *str_ptr++ = *cp++;
+ while (*cp != '\0') {
+ STR_APPEND(*cp);
+ cp++;
+ }
}
/* variable inside string/arg */
@@ -210,11 +216,11 @@
}
<vararg>[%$] {
- *str_ptr++ = yytext[0];
+ STR_APPEND(yytext[0]);
}
<str>[%}$] {
- *str_ptr++ = yytext[0];
+ STR_APPEND(yytext[0]);
}
%\{ {
@@ -286,6 +292,8 @@
}
else {
*regex_ptr++ = yytext[0];
+ if (regex_ptr >= regex_buf + sizeof(regex_buf))
+ PERROR("Regexp too long");
}
}
<regex_flags>i {