You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2020/05/20 14:13:09 UTC
svn commit: r1877955 - /httpd/httpd/trunk/server/protocol.c
Author: ylavic
Date: Wed May 20 14:13:09 2020
New Revision: 1877955
URL: http://svn.apache.org/viewvc?rev=1877955&view=rev
Log:
core, protocol: reject invalid Content-Length ASAP.
Don't let invalid invalid Content-Length header go beyond ap_read_request()
and protocol validation. The check in ap_http_filter() is still useful if
some modules mangles the header, but it's too late for the usual case.
Modified:
httpd/httpd/trunk/server/protocol.c
Modified: httpd/httpd/trunk/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1877955&r1=1877954&r2=1877955&view=diff
==============================================================================
--- httpd/httpd/trunk/server/protocol.c (original)
+++ httpd/httpd/trunk/server/protocol.c Wed May 20 14:13:09 2020
@@ -1493,7 +1493,7 @@ request_rec *ap_read_request(conn_rec *c
apply_server_config(r);
if (!r->assbackwards) {
- const char *tenc;
+ const char *tenc, *clen;
ap_get_mime_headers_core(r, tmp_bb);
apr_brigade_cleanup(tmp_bb);
@@ -1528,6 +1528,17 @@ request_rec *ap_read_request(conn_rec *c
*/
apr_table_unset(r->headers_in, "Content-Length");
}
+ else if ((clen = apr_table_get(r->headers_in, "Content-Length"))) {
+ apr_off_t cl;
+
+ if (!ap_parse_strict_length(&cl, clen)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10242)
+ "client sent invalid Content-Length "
+ "(%s): %s", clen, r->uri);
+ access_status = HTTP_BAD_REQUEST;
+ goto die_unusable_input;
+ }
+ }
}
/*