You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2015/01/14 14:20:49 UTC
svn commit: r1651653 - in /httpd/httpd/branches/2.4.x: CHANGES server/util.c
Author: covener
Date: Wed Jan 14 13:20:49 2015
New Revision: 1651653
URL: http://svn.apache.org/r1651653
Log:
Merge r1648394 from trunk:
Configuration files with long lines and continuation characters
are not read properly. PR 55910.
Submitted By: Manuel Mausz <manuel-as mausz.at>
Committed By: covener
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/server/util.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1651653&r1=1651652&r2=1651653&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Jan 14 13:20:49 2015
@@ -5,6 +5,7 @@ Changes with Apache 2.4.11
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
+
*) SECURITY: CVE-2014-3581 (cve.mitre.org)
mod_cache: Avoid a crash when Content-Type has an empty value.
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
@@ -21,6 +22,9 @@ Changes with Apache 2.4.11
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+ *) core: Configuration files with long lines and continuation characters
+ are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
+
*) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
leading 'e' was written in upper case in <!--#if expr="..." -->
statements. [Christophe Jaillet]
Modified: httpd/httpd/branches/2.4.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/util.c?rev=1651653&r1=1651652&r2=1651653&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/util.c (original)
+++ httpd/httpd/branches/2.4.x/server/util.c Wed Jan 14 13:20:49 2015
@@ -970,20 +970,20 @@ AP_DECLARE(const char *) ap_pcfg_strerro
/* Read one line from open ap_configfile_t, strip LF, increase line number */
/* If custom handler does not define a getstr() function, read char by char */
static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize,
- ap_configfile_t *cfp)
+ apr_size_t offset, ap_configfile_t *cfp)
{
apr_status_t rc;
/* If a "get string" function is defined, use it */
if (cfp->getstr != NULL) {
char *cp;
- char *cbuf = buf;
- apr_size_t cbufsize = bufsize;
+ char *cbuf = buf + offset;
+ apr_size_t cbufsize = bufsize - offset;
while (1) {
++cfp->line_number;
rc = cfp->getstr(cbuf, cbufsize, cfp->param);
if (rc == APR_EOF) {
- if (cbuf != buf) {
+ if (cbuf != buf + offset) {
*cbuf = '\0';
break;
}
@@ -1001,11 +1001,11 @@ static apr_status_t ap_cfg_getline_core(
*/
cp = cbuf;
cp += strlen(cp);
- if (cp > cbuf && cp[-1] == LF) {
+ if (cp > buf && cp[-1] == LF) {
cp--;
- if (cp > cbuf && cp[-1] == CR)
+ if (cp > buf && cp[-1] == CR)
cp--;
- if (cp > cbuf && cp[-1] == '\\') {
+ if (cp > buf && cp[-1] == '\\') {
cp--;
/*
* line continuation requested -
@@ -1023,19 +1023,19 @@ static apr_status_t ap_cfg_getline_core(
}
} else {
/* No "get string" function defined; read character by character */
- apr_size_t i = 0;
+ apr_size_t i = offset;
if (bufsize < 2) {
/* too small, assume caller is crazy */
return APR_EINVAL;
}
- buf[0] = '\0';
+ buf[offset] = '\0';
while (1) {
char c;
rc = cfp->getch(&c, cfp->param);
if (rc == APR_EOF) {
- if (i > 0)
+ if (i > offset)
break;
else
return APR_EOF;
@@ -1053,11 +1053,11 @@ static apr_status_t ap_cfg_getline_core(
break;
}
}
- else if (i >= bufsize - 2) {
- return APR_ENOSPC;
- }
buf[i] = c;
++i;
+ if (i >= bufsize - 1) {
+ return APR_ENOSPC;
+ }
}
buf[i] = '\0';
}
@@ -1091,7 +1091,7 @@ static int cfg_trim_line(char *buf)
AP_DECLARE(apr_status_t) ap_cfg_getline(char *buf, apr_size_t bufsize,
ap_configfile_t *cfp)
{
- apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp);
+ apr_status_t rc = ap_cfg_getline_core(buf, bufsize, 0, cfp);
if (rc == APR_SUCCESS)
cfg_trim_line(buf);
return rc;
@@ -1118,7 +1118,7 @@ AP_DECLARE(apr_status_t) ap_varbuf_cfg_g
}
for (;;) {
- rc = ap_cfg_getline_core(vb->buf + vb->strlen, vb->avail - vb->strlen, cfp);
+ rc = ap_cfg_getline_core(vb->buf, vb->avail, vb->strlen, cfp);
if (rc == APR_ENOSPC || rc == APR_SUCCESS)
vb->strlen += strlen(vb->buf + vb->strlen);
if (rc != APR_ENOSPC)