You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apreq-cvs@httpd.apache.org by jo...@apache.org on 2005/10/12 02:28:56 UTC
svn commit: r312984 - in /httpd/apreq/trunk: CHANGES include/apreq_version.h
library/parser_multipart.c
Author: joes
Date: Tue Oct 11 17:28:51 2005
New Revision: 312984
URL: http://svn.apache.org/viewcvs?rev=312984&view=rev
Log:
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.
Modified:
httpd/apreq/trunk/CHANGES
httpd/apreq/trunk/include/apreq_version.h
httpd/apreq/trunk/library/parser_multipart.c
Modified: httpd/apreq/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/apreq/trunk/CHANGES?rev=312984&r1=312983&r2=312984&view=diff
==============================================================================
--- httpd/apreq/trunk/CHANGES (original)
+++ httpd/apreq/trunk/CHANGES Tue Oct 11 17:28:51 2005
@@ -6,6 +6,10 @@
- C API [joes]
+ Protect against arbitrary recursion depth in apreq_parse_multipart()
+ by adding a reasonable compile-time MAX_LEVEL limit.
+
+- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 ยง 5.1.1.
Modified: httpd/apreq/trunk/include/apreq_version.h
URL: http://svn.apache.org/viewcvs/httpd/apreq/trunk/include/apreq_version.h?rev=312984&r1=312983&r2=312984&view=diff
==============================================================================
--- httpd/apreq/trunk/include/apreq_version.h (original)
+++ httpd/apreq/trunk/include/apreq_version.h Tue Oct 11 17:28:51 2005
@@ -61,7 +61,7 @@
#define APREQ_MINOR_VERSION 5
/** patch level */
-#define APREQ_PATCH_VERSION 3
+#define APREQ_PATCH_VERSION 4
/**
* This symbol is defined for internal, "development" copies of libapreq.
Modified: httpd/apreq/trunk/library/parser_multipart.c
URL: http://svn.apache.org/viewcvs/httpd/apreq/trunk/library/parser_multipart.c?rev=312984&r1=312983&r2=312984&view=diff
==============================================================================
--- httpd/apreq/trunk/library/parser_multipart.c (original)
+++ httpd/apreq/trunk/library/parser_multipart.c Tue Oct 11 17:28:51 2005
@@ -35,7 +35,8 @@
return APR_INCOMPLETE; \
} while (0);
-
+/* maximum recursion level in the mfd parser */
+#define MAX_LEVEL 8
struct mfd_ctx {
apr_table_t *info;
@@ -59,6 +60,7 @@
apr_bucket *eos;
const char *param_name;
apreq_param_t *upload;
+ unsigned level;
};
@@ -204,7 +206,8 @@
apr_pool_t *pool,
apr_bucket_alloc_t *ba,
apr_size_t brigade_limit,
- const char *temp_dir)
+ const char *temp_dir,
+ unsigned level)
{
apr_status_t s;
@@ -243,6 +246,7 @@
ctx->next_parser = NULL;
ctx->param_name = NULL;
ctx->upload = NULL;
+ ctx->level = level;
return ctx;
}
@@ -258,7 +262,7 @@
ctx = create_multipart_context(parser->content_type,
pool, ba,
parser->brigade_limit,
- parser->temp_dir);
+ parser->temp_dir, 1);
if (ctx == NULL)
return APREQ_ERROR_GENERAL;
@@ -389,9 +393,15 @@
if (ct != NULL && strncmp(ct, "multipart/", 10) == 0) {
struct mfd_ctx *next_ctx;
+ if (ctx->level >= MAX_LEVEL) {
+ ctx->status = MFD_ERROR;
+ goto mfd_parse_brigade;
+ }
+
next_ctx = create_multipart_context(ct, pool, ba,
parser->brigade_limit,
- parser->temp_dir);
+ parser->temp_dir,
+ ctx->level + 1);
next_ctx->param_name = "";