Attachment #35885 for bug #62198

View | Details | Raw Unified | Return to bug 62198
Collapse All | Expand All

Lines 631-637 AP_DECLARE(apr_status_t) ap_get_basic_auth_compone Link Here

(-)include/http_protocol.h (-1 / +3 lines)
631	AP_CORE_DECLARE(void) ap_parse_uri(request_rec r, const char uri);	631	AP_CORE_DECLARE(void) ap_parse_uri(request_rec r, const char uri);
632		632
633	#define AP_GETLINE_FOLD 1 /* Whether to merge continuation lines */	633	#define AP_GETLINE_FOLD 1 /* Whether to merge continuation lines */
634	#define AP_GETLINE_CRLF 2 /Whether line ends must be in the form CR LF /	634	#define AP_GETLINE_CRLF 2 /* Whether line ends must be in the form CR LF */
		635	#define AP_GETLINE_NOSPC_EOL 4 /* Whether to consume up to and including the
		636	end of line on APR_ENOSPC */
635		637
636	/**	638	/**
637	* Get the next line of input for the request	639	* Get the next line of input for the request

Lines 224-229 AP_DECLARE(apr_status_t) ap_rgetline_core(char **s Link Here

(-)server/protocol.c (-23 / +79 lines)
224	int do_alloc = (*s == NULL), saw_eos = 0;	224	int do_alloc = (*s == NULL), saw_eos = 0;
225	int fold = flags & AP_GETLINE_FOLD;	225	int fold = flags & AP_GETLINE_FOLD;
226	int crlf = flags & AP_GETLINE_CRLF;	226	int crlf = flags & AP_GETLINE_CRLF;
		227	int nospc_eol = flags & AP_GETLINE_NOSPC_EOL;
		228	int saw_eol = 0, saw_nospc = 0;
227		229
228	if (!n) {	230	if (!n) {
229	/* Needs room for NUL byte at least */	231	/* Needs room for NUL byte at least */
Lines 239-245 AP_DECLARE(apr_status_t) ap_rgetline_core(char **s Link Here
239	if (last_char)	241	if (last_char)
240	*last_char = '\0';	242	*last_char = '\0';
241		243
242	for (;;) {	244	do {
243	apr_brigade_cleanup(bb);	245	apr_brigade_cleanup(bb);
244	rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE,	246	rv = ap_get_brigade(r->proto_input_filters, bb, AP_MODE_GETLINE,
245	APR_BLOCK_READ, 0);	247	APR_BLOCK_READ, 0);
Lines 283-290 AP_DECLARE(apr_status_t) ap_rgetline_core(char **s Link Here
283		285
284	/* Would this overrun our buffer? If so, we'll die. */	286	/* Would this overrun our buffer? If so, we'll die. */
285	if (n < bytes_handled + len) {	287	if (n < bytes_handled + len) {
286	rv = APR_ENOSPC;	288	/* Before we die, let's fill the buffer up to its limit (i.e.
287	goto cleanup;	289	* fall through with the remaining length, if any), setting
		290	* saw_eol on LF to stop the outer loop appropriately; we may
		291	* come back here once the buffer is filled (no LF seen), and
		292	* either be done at that time or continue to wait for LF here
		293	* if nospc_eol is set.
		294	*
		295	* But there is also a corner cases which we want to address,
		296	* namely if the buffer is overrun by the final LF only (i.e.
		297	* the CR fits in); this is not really an overrun since we'll
		298	* strip the CR finally (and use it for NUL byte), but anyway
		299	* we have to handle the case so that it's not returned to the
		300	* caller as part of the truncated line (it's not!). This is
		301	* easier to consider that LF is out of counting and thus fall
		302	* through with no error (saw_eol is set to 2 so that we later
		303	* ignore LF handling already done here), while folding and
		304	* nospc_eol logics continue to work (or fail) appropriately.
		305	*/
		306	saw_eol = (str[len - 1] == APR_ASCII_LF);
		307	if (/* First time around */
		308	saw_eol && !saw_nospc
		309	/* Single LF completing the buffered CR, */
		310	&& ((len == 1 && ((*s)[bytes_handled - 1] == APR_ASCII_CR))
		311	/* or trailing CRLF overuns by LF only */
		312	\|\| (len > 1 && str[len - 2] == APR_ASCII_CR
		313	&& n - bytes_handled + 1 == len))) {
		314	/* In both cases *last_char is (to be) the CR stripped by
		315	* later 'bytes_handled = last_char - *s'.
		316	*/
		317	saw_eol = 2;
		318	}
		319	else {
		320	/* In any other case we'd lose data. */
		321	rv = APR_ENOSPC;
		322	saw_nospc = 1;
		323	}
		324	len = n - bytes_handled;
		325	if (!len) {
		326	if (saw_eol) {
		327	break;
		328	}
		329	if (nospc_eol) {
		330	continue;
		331	}
		332	goto cleanup;
		333	}
288	}	334	}
289		335
290	/* Do we have to handle the allocation ourselves? */	336	/* Do we have to handle the allocation ourselves? */
Lines 323-341 AP_DECLARE(apr_status_t) ap_rgetline_core(char **s Link Here
323		369
324	/* If we got a full line of input, stop reading */	370	/* If we got a full line of input, stop reading */
325	if (last_char && (*last_char == APR_ASCII_LF)) {	371	if (last_char && (*last_char == APR_ASCII_LF)) {
326	break;	372	saw_eol = 1;
327	}	373	}
		374	} while (!saw_eol);
		375
		376	if (rv != APR_SUCCESS) {
		377	/* End of line after APR_ENOSPC above */
		378	goto cleanup;
328	}	379	}
329		380
330	/* Now terminate the string at the end of the line;	381	/* Now terminate the string at the end of the line;
331	* if the last-but-one character is a CR, terminate there */	382	* if the last-but-one character is a CR, terminate there.
332	if (last_char > *s && last_char[-1] == APR_ASCII_CR) {	383	* LF is handled above (not accounted) when saw_eol == 2,
333	last_char--;	384	* the last char is CR to terminate at still.
		385	*/
		386	if (saw_eol < 2) {
		387	if (last_char > *s && last_char[-1] == APR_ASCII_CR) {
		388	last_char--;
		389	}
		390	else if (crlf) {
		391	rv = APR_EINVAL;
		392	goto cleanup;
		393	}
334	}	394	}
335	else if (crlf) {
336	rv = APR_EINVAL;
337	goto cleanup;
338	}
339	bytes_handled = last_char - *s;	395	bytes_handled = last_char - *s;
340		396
341	/* If we're folding, we have more work to do.	397	/* If we're folding, we have more work to do.
Lines 443-464 cleanup: Link Here
443	if (bytes_handled >= n) {	499	if (bytes_handled >= n) {
444	bytes_handled = n - 1;	500	bytes_handled = n - 1;
445	}	501	}
		502
		503	*read = bytes_handled;
446	if (*s) {	504	if (*s) {
447	/* ensure the string is NUL terminated */	505	/* ensure the string is NUL terminated */
448	(*s)[bytes_handled] = '\0';	506	(s)[read] = '\0';
449	}
450	*read = bytes_handled;
451		507
452	if (rv != APR_SUCCESS) {	508	/* PR#43039: We shouldn't accept NULL bytes within the line */
453	return rv;	509	bytes_handled = strlen(*s);
		510	if (bytes_handled < *read) {
		511	*read = bytes_handled;
		512	if (rv == APR_SUCCESS) {
		513	rv = APR_EINVAL;
		514	}
		515	}
454	}	516	}
455		517	return rv;
456	/* PR#43039: We shouldn't accept NULL bytes within the line */
457	if (strlen(*s) < bytes_handled) {
458	return APR_EINVAL;
459	}
460
461	return APR_SUCCESS;
462	}	518	}
463		519
464	#if APR_CHARSET_EBCDIC	520	#if APR_CHARSET_EBCDIC

Return to bug 62198