Issue 121926 - webdav ucp: malformed PROPFIND request body
Summary: webdav ucp: malformed PROPFIND request body
Alias: None
Product: General
Classification: Code
Component: code (show other issues)
Version: 3.4.0
Hardware: All All
: P3 Normal (vote)
Target Milestone: 4.0.0
Assignee: Ariel Constenla-Haile
QA Contact:
Depends on:
Blocks: 121202 121845
  Show dependency treegraph
Reported: 2013-03-21 03:56 UTC by Ariel Constenla-Haile
Modified: 2013-03-24 13:28 UTC (History)
1 user (show)

See Also:
Issue Type: DEFECT
Latest Confirmation in: ---
Developer Difficulty: ---


Note You need to log in before you can comment on or make changes to this issue.
Description Ariel Constenla-Haile 2013-03-21 03:56:21 UTC
All PROPFIND requests fail. Looking at the apache server log, reveals that the request body is malformed:

[Thu Mar 21 00:36:46.999020 2013] [core:error] [pid 1114] [client ::1:44866] AH00541: XML Parser Error: XML parser error code: not well-formed (invalid token) (4)

The server response:

HTTP/1.1 400 Bad Request
Date: Thu, 21 Mar 2013 03:36:46 GMT
Server: Apache/2.4.3 (Fedora) OpenSSL/1.0.1e-fips PHP/5.4.12 mod_wsgi/3.4 Python/2.7.3 mod_perl/2.0.7 Perl/v5.16.2
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />

Looking at the code

139 	body_bkt = SERF_BUCKET_SIMPLE_STRING( rtl::OUStringToOString( aBodyText, RTL_TEXTENCODING_UTF8 ),
140 	pSerfBucketAlloc );

a) this is passing the rtl::OString, not a null terminated string
b) when the rtl string dies, the body bucket will point to garbage, looking at the code in serf:

serf_bucket_t *serf_bucket_simple_create(
    const char *data,
    apr_size_t len,
    serf_simple_freefunc_t freefunc,
    void *freefunc_baton,
    serf_bucket_alloc_t *allocator)
    simple_context_t *ctx;

    ctx = serf_bucket_mem_alloc(allocator, sizeof(*ctx));
    ctx->original = ctx->current = data;
    ctx->remaining = len;
    ctx->freefunc = freefunc;
    ctx->baton = freefunc_baton;

    return serf_bucket_create(&serf_bucket_type_simple, allocator, ctx);

data is not copied. This will only work for string literals in read-only storage that live longer than the function call.
In this case, the string content is freed when SerfPropFindReqProcImpl::createSerfRequestBucket returns.
This way, the PROPFIND request body has garbage.
Comment 1 Ariel Constenla-Haile 2013-03-22 14:16:19 UTC
PROPPATCH is also affected.
The fix is the same for both PROPFIND and PROPPATCH.

Testing the fix with PROPPATCH is quite impossible, because add/removeProperty don't allow setting a css.ucb.XCommandEnvironment to authenticate to the WEBDAV server. Opening a bug for this.
Comment 2 SVN Robot 2013-03-24 13:21:33 UTC
"arielch" committed SVN revision 1460356 into trunk:
i121926 - fix malformed PROPFIND/PROPPATCH request body
Comment 3 Ariel Constenla-Haile 2013-03-24 13:28:54 UTC
Fixed on trunk