You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2017/01/10 08:07:44 UTC
svn commit: r1778094 - in /httpd/httpd/branches/2.2.x-merge-http-strict: ./
modules/http/http_filters.c
Author: ylavic
Date: Tue Jan 10 08:07:44 2017
New Revision: 1778094
URL: http://svn.apache.org/viewvc?rev=1778094&view=rev
Log:
Merge r1777460, r1777672 from trunk:
http: allow folding in check_headers(), still compliant with RFC 7230 (3.2.4).
http: follow up to r1777460.
We MUST unfold outgoing HTTP headers in any case, "message/http" is for
inner content.
Modified:
httpd/httpd/branches/2.2.x-merge-http-strict/ (props changed)
httpd/httpd/branches/2.2.x-merge-http-strict/modules/http/http_filters.c
Propchange: httpd/httpd/branches/2.2.x-merge-http-strict/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Jan 10 08:07:44 2017
@@ -1,4 +1,4 @@
/httpd/httpd/branches/2.2.x:1710095,1727544,1758672
/httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034,1682929,1682939,1775827
/httpd/httpd/branches/2.4.x-merge-http-strict:1767913-1775776
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,892678,892808,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1057372,1058192,1070096,1082189,1082196,1090645,1100511,1172732,1178566,1185385,1188745,1200040,1200372,1200374,1213380,1213391,1222335,1223048,1231446,1237407,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,13453
19,1348656,1349905,1352911-1352912,1363183,1363186,1366344,1367778,1368131,1368396,1369568,1392347,1395225,1398066,1400700,1406719,1407004,1407088,1407528,1407599,1407643,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1425366,1426827,1426877,1426879,1426988,1426992,1428145,1433613,1435178,1436457,1446421,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1483005,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1514215,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610383,1610491,1610501,1611165,1611169,1620932,1621453,1635762,1643537,1643543,1648840,1649001,1649043,1650310,16
50320,1652929,1653997,1657897,1658765,1663647,1664205,1664576,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1683123,1684513,1685345,1685347,1685349-1685350,1687642-1687643,1688274,1688536,1688538,1710095,1727544,1754536,1754538-1754541,1754544,1754547-1754548,1754555-1754556,1754568-1754570,1754577,1754579,1755123-1755126,1755233-1755236,1755263-1755264,1755343,1755744,1756540,1756555,1756649,1756729,1756821,1756823-1756824,1756847,1756849,1756862,1756934,1756937,1756946,1756959,1756978,1757062,1757065,1757589,1757593,1757711,1757920-1757921,1757924,1758226,1758263,1758265-1758266,1758304-1758305,1758313,1760444,1764961,1765112-1765115,1765451,1769965,1770786,1770817,1770867,1770869,1771690,1772418,1773159,1773162,1773293,1773346,1773761,1773779,1773812,1773861-1773862,1773865,1774286,1775199,1775664
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,892678,892808,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1057372,1058192,1070096,1082189,1082196,1090645,1100511,1172732,1178566,1185385,1188745,1200040,1200372,1200374,1213380,1213391,1222335,1223048,1231446,1237407,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,13453
19,1348656,1349905,1352911-1352912,1363183,1363186,1366344,1367778,1368131,1368396,1369568,1392347,1395225,1398066,1400700,1406719,1407004,1407088,1407528,1407599,1407643,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1425366,1426827,1426877,1426879,1426988,1426992,1428145,1433613,1435178,1436457,1446421,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1483005,1484852,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1514215,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1529988,1529991,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1585090,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610383,1610491,1610501,1611165,1611169,1620932,1621453,1635762,1643537,1643543,1648840,1649001,1649043,1650310,16
50320,1652929,1653997,1657897,1658765,1663647,1664205,1664576,1665215,1665218,1665625,1665721,1666363,1674056,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937,1683123,1684513,1685345,1685347,1685349-1685350,1687642-1687643,1688274,1688536,1688538,1710095,1727544,1754536,1754538-1754541,1754544,1754547-1754548,1754555-1754556,1754568-1754570,1754577,1754579,1755123-1755126,1755233-1755236,1755263-1755264,1755343,1755744,1756540,1756555,1756649,1756729,1756821,1756823-1756824,1756847,1756849,1756862,1756934,1756937,1756946,1756959,1756978,1757062,1757065,1757589,1757593,1757711,1757920-1757921,1757924,1758226,1758263,1758265-1758266,1758304-1758305,1758313,1760444,1764961,1765112-1765115,1765451,1769965,1770786,1770817,1770867,1770869,1771690,1772418,1773159,1773162,1773293,1773346,1773761,1773779,1773812,1773861-1773862,1773865,1774286,1775199,1775664,1777460,1777672
Modified: httpd/httpd/branches/2.2.x-merge-http-strict/modules/http/http_filters.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/modules/http/http_filters.c?rev=1778094&r1=1778093&r2=1778094&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x-merge-http-strict/modules/http/http_filters.c (original)
+++ httpd/httpd/branches/2.2.x-merge-http-strict/modules/http/http_filters.c Tue Jan 10 08:07:44 2017
@@ -689,10 +689,11 @@ struct check_header_ctx {
};
/* check a single header, to be used with apr_table_do() */
-static int check_header(void *arg, const char *name, const char *val)
+static int check_header(struct check_header_ctx *ctx,
+ const char *name, const char **val)
{
- struct check_header_ctx *ctx = arg;
- const char *test;
+ const char *pos, *end;
+ char *dst = NULL;
if (name[0] == '\0') {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
@@ -701,12 +702,12 @@ static int check_header(void *arg, const
}
if (ctx->strict) {
- test = ap_scan_http_token(name);
+ end = ap_scan_http_token(name);
}
else {
- test = ap_scan_vchar_obstext(name);
+ end = ap_scan_vchar_obstext(name);
}
- if (*test) {
+ if (*end) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
"Response header name '%s' contains invalid "
"characters, aborting request",
@@ -714,13 +715,51 @@ static int check_header(void *arg, const
return 0;
}
- test = ap_scan_http_field_content(val);
- if (*test) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
- "Response header '%s' value of '%s' contains invalid "
- "characters, aborting request",
- name, val);
- return 0;
+ for (pos = *val; *pos; pos = end) {
+ end = ap_scan_http_field_content(pos);
+ if (*end) {
+ if (end[0] != CR || end[1] != LF || (end[2] != ' ' &&
+ end[2] != '\t')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
+ "Response header '%s' value of '%s' contains "
+ "invalid characters, aborting request",
+ name, pos);
+ return 0;
+ }
+ if (!dst) {
+ *val = dst = apr_palloc(ctx->r->pool, strlen(*val) + 1);
+ }
+ }
+ if (dst) {
+ memcpy(dst, pos, end - pos);
+ dst += end - pos;
+ if (*end) {
+ /* skip folding and replace with a single space */
+ end += 3 + strspn(end + 3, "\t ");
+ *dst++ = ' ';
+ }
+ }
+ }
+ if (dst) {
+ *dst = '\0';
+ }
+ return 1;
+}
+
+static int check_headers_table(apr_table_t *t, struct check_header_ctx *ctx)
+{
+ const apr_array_header_t *headers = apr_table_elts(t);
+ apr_table_entry_t *header;
+ int i;
+
+ for (i = 0; i < headers->nelts; ++i) {
+ header = &((apr_table_entry_t *)headers->elts)[i];
+ if (!header->key) {
+ continue;
+ }
+ if (!check_header(ctx, header->key, (const char **)&header->val)) {
+ return 0;
+ }
}
return 1;
}
@@ -738,8 +777,8 @@ static APR_INLINE int check_headers(requ
ctx.r = r;
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);
- return apr_table_do(check_header, &ctx, r->headers_out, NULL) &&
- apr_table_do(check_header, &ctx, r->err_headers_out, NULL);
+ return check_headers_table(r->headers_out, &ctx) &&
+ check_headers_table(r->err_headers_out, &ctx);
}
static int check_headers_recursion(request_rec *r)