From 4a72c8dbe70d095cfb6d23689c072b375bedfcff Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 1 Jul 2015 00:19:59 +0000
Subject: [PATCH] http: follow up to r1685345. Be lenient up to 10 (room for
 32bit decimals) Bad White Spaces (BWS) between chunk-size and chunk-ext/CRLF.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1688538 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/http/http_filters.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 49c8870e43..4304afa3a1 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -63,6 +63,7 @@ typedef struct http_filter_ctx
     apr_off_t limit;
     apr_off_t limit_used;
     apr_int32_t chunk_used;
+    apr_int32_t chunk_bws;
     apr_int32_t chunkbits;
     enum
     {
@@ -133,6 +134,7 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             ctx->remaining = 0;
             ctx->chunkbits = sizeof(apr_off_t) * 8;
             ctx->chunk_used = 0;
+            ctx->chunk_bws = 0;
         }
 
         if (c == LF) {
@@ -164,7 +166,12 @@ static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,
             }
         }
         else if (c == ' ' || c == '\t') {
+            /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).
+             */
             ctx->state = BODY_CHUNK_CR;
+            if (++ctx->chunk_bws > 10) {
+                return APR_EINVAL;
+            }
         }
         else if (ctx->state == BODY_CHUNK_CR) {
             /*