diff options
| author | William A. Rowe Jr <wrowe@apache.org> | 2016-12-22 18:39:40 +0000 |
|---|---|---|
| committer | William A. Rowe Jr <wrowe@apache.org> | 2016-12-22 18:39:40 +0000 |
| commit | ad0a815634e1aa2baa6e59c93f6e15c7d7e85517 (patch) | |
| tree | 134f2f4c4041a9a8cc8324fb3761672c61ff8aa7 | |
| parent | 3ff59149540799fec7e9e3b384206f6e95b214c8 (diff) | |
| download | httpd-ad0a815634e1aa2baa6e59c93f6e15c7d7e85517.tar.gz | |
Backports: r892678
Submitted by: niq
Reject requests containing (invalid) NULL characters in request line
or request headers.
PR 43039
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x-merge-http-strict@1775691 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | server/protocol.c | 23 |
2 files changed, 21 insertions, 5 deletions
@@ -1,7 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.32 - + *) Core: reject NULLs in request line or request headers. + PR 43039 [Nick Kew] Changes with Apache 2.2.31 diff --git a/server/protocol.c b/server/protocol.c index f078b2f2e4..84d60983a5 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -433,8 +433,13 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n, } } } - *read = bytes_handled; + + /* PR#43039: We shouldn't accept NULL bytes within the line */ + if (strlen(*s) < bytes_handled - 1) { + return APR_EINVAL; + } + return APR_SUCCESS; } @@ -609,6 +614,9 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb) else if (APR_STATUS_IS_TIMEUP(rv)) { r->status = HTTP_REQUEST_TIME_OUT; } + else if (rv == APR_EINVAL) { + r->status = HTTP_BAD_REQUEST; + } r->proto_num = HTTP_VERSION(1,0); r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); return 0; @@ -923,9 +931,16 @@ request_rec *ap_read_request(conn_rec *conn) /* Get the request... */ if (!read_request_line(r, tmp_bb)) { - if (r->status == HTTP_REQUEST_URI_TOO_LARGE) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "request failed: URI too long (longer than %d)", r->server->limit_req_line); + if (r->status == HTTP_REQUEST_URI_TOO_LARGE + || r->status == HTTP_BAD_REQUEST) { + if (r->status == HTTP_BAD_REQUEST) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "request failed: invalid characters in URI"); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "request failed: URI too long (longer than %d)", r->server->limit_req_line); + } ap_send_error_response(r, 0); ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); ap_run_log_transaction(r); |