You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2022/03/07 13:36:10 UTC
svn commit: r1898686 - in /httpd/httpd/trunk: changes-entries/AP_MAX_LIMIT_XML_BODY.diff docs/manual/mod/core.xml server/core.c server/util.c server/util_xml.c
Author: ylavic
Date: Mon Mar 7 13:36:10 2022
New Revision: 1898686
URL: http://svn.apache.org/viewvc?rev=1898686&view=rev
Log:
core: Make sure and check that LimitXMLRequestBody fits in system memory.
LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
body without failing to allocate memory, so enforce this at load time based
on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
Document the limits for LimitXMLRequestBody in our docs.
Added:
httpd/httpd/trunk/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
Modified:
httpd/httpd/trunk/docs/manual/mod/core.xml
httpd/httpd/trunk/server/core.c
httpd/httpd/trunk/server/util.c
httpd/httpd/trunk/server/util_xml.c
Added: httpd/httpd/trunk/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/AP_MAX_LIMIT_XML_BODY.diff?rev=1898686&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/AP_MAX_LIMIT_XML_BODY.diff (added)
+++ httpd/httpd/trunk/changes-entries/AP_MAX_LIMIT_XML_BODY.diff Mon Mar 7 13:36:10 2022
@@ -0,0 +1,2 @@
+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+ [Ruediger Pluem, Yann Ylavic]
\ No newline at end of file
Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1898686&r1=1898685&r2=1898686&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/core.xml Mon Mar 7 13:36:10 2022
@@ -3044,13 +3044,19 @@ LimitRequestLine 4094
<override>All</override>
<usage>
- <p>Limit (in bytes) on maximum size of an XML-based request
- body. A value of <code>0</code> will disable any checking.</p>
+ <p>Limit (in bytes) on the maximum size of an XML-based request
+ body. A value of <code>0</code> will apply a hard limit (depending on
+ 32bit vs 64bit system) allowing for XML escaping within the bounds of
+ the system addressable memory, but it exists for compatibility only
+ and is not recommended since it does not account for memory consumed
+ elsewhere or concurrent requests, which might result in an overall
+ system out-of-memory.
<p>Example:</p>
<highlight language="config">
-LimitXMLRequestBody 0
+# Limit of 1 MiB
+LimitXMLRequestBody 1073741824
</highlight>
</usage>
Modified: httpd/httpd/trunk/server/core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?rev=1898686&r1=1898685&r2=1898686&view=diff
==============================================================================
--- httpd/httpd/trunk/server/core.c (original)
+++ httpd/httpd/trunk/server/core.c Mon Mar 7 13:36:10 2022
@@ -73,6 +73,8 @@
/* LimitXMLRequestBody handling */
#define AP_LIMIT_UNSET ((long) -1)
#define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
+/* Hard limit for ap_escape_html2() */
+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
#define AP_MIN_SENDFILE_BYTES (256)
@@ -3888,6 +3890,11 @@ static const char *set_limit_xml_req_bod
if (conf->limit_xml_body < 0)
return "LimitXMLRequestBody requires a non-negative integer.";
+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
+
return NULL;
}
@@ -3976,6 +3983,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_
conf = ap_get_core_module_config(r->per_dir_config);
if (conf->limit_xml_body == AP_LIMIT_UNSET)
return AP_DEFAULT_LIMIT_XML_BODY;
+ if (conf->limit_xml_body == 0)
+ return AP_MAX_LIMIT_XML_BODY;
return (apr_size_t)conf->limit_xml_body;
}
Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1898686&r1=1898685&r2=1898686&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Mon Mar 7 13:36:10 2022
@@ -2152,11 +2152,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(
AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
{
- int i, j;
+ apr_size_t i, j;
char *x;
/* first, count the number of extra characters */
- for (i = 0, j = 0; s[i] != '\0'; i++)
+ for (i = 0, j = 0; s[i] != '\0'; i++) {
+ if (i + j > APR_SIZE_MAX - 6) {
+ abort();
+ }
if (s[i] == '<' || s[i] == '>')
j += 3;
else if (s[i] == '&')
@@ -2165,6 +2168,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_p
j += 5;
else if (toasc && !apr_isascii(s[i]))
j += 5;
+ }
if (j == 0)
return apr_pstrmemdup(p, s, i);
Modified: httpd/httpd/trunk/server/util_xml.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_xml.c?rev=1898686&r1=1898685&r2=1898686&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_xml.c (original)
+++ httpd/httpd/trunk/server/util_xml.c Mon Mar 7 13:36:10 2022
@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(reque
}
total_read += len;
- if (limit_xml_body && total_read > limit_xml_body) {
+ if (total_read > limit_xml_body) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
"XML request body is larger than the configured "
"limit of %lu", (unsigned long)limit_xml_body);