www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Drop ap_body_to_table due to missing constraints; a DoS waiting

Browse Source 
for an exploit.

Some mod_lua fan aught to revisit this and provide a sensible
implementation.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@953203 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
William A. Rowe Jr
2010-06-10 03:02:07 +00:00
parent ed766d823a
commit 7716d3c3e3
5 changed files with 3 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/ap_mmn.h
View File

@@ -227,13 +227,13 @@
* Introduce per-module loglevels * Introduce per-module loglevels
* 20100606.1 (2.3.6-dev) Added extended timestamp formatting via * 20100606.1 (2.3.6-dev) Added extended timestamp formatting via
* ap_recent_ctime_ex(). * ap_recent_ctime_ex().
* * 20100609.0 (2.3.6-dev) Dropped ap_args_to_table due to missing constraints.
*/ */
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR #ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20100606 #define MODULE_MAGIC_NUMBER_MAJOR 20100609
#endif #endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ #define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */

2
include/util_script.h
View File

@@ -142,8 +142,6 @@ AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table); AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);
AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table);
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

15
modules/lua/lua_request.c
View File

@@ -189,19 +189,6 @@ static int req_write(lua_State *L)
return 0; return 0;
} }
/* r:parsebody() */
static int req_parsebody(lua_State *L)
{
apr_table_t *form_table;
request_rec *r = ap_lua_check_request_rec(L, 1);
lua_newtable(L);
lua_newtable(L);
if (ap_body_to_table(r, &form_table) == APR_SUCCESS) {
apr_table_do(req_aprtable2luatable_cb, L, form_table, NULL);
}
return 2;
}
/* r:addoutputfilter(name|function) */ /* r:addoutputfilter(name|function) */
static int req_add_output_filter(lua_State *L) static int req_add_output_filter(lua_State *L)
{ {
@@ -538,8 +525,6 @@ AP_LUA_DECLARE(void) ap_lua_load_request_lmodule(lua_State *L, apr_pool_t *p)
makefun(&req_document_root, APL_REQ_FUNTYPE_STRING, p)); makefun(&req_document_root, APL_REQ_FUNTYPE_STRING, p));
apr_hash_set(dispatch, "parseargs", APR_HASH_KEY_STRING, apr_hash_set(dispatch, "parseargs", APR_HASH_KEY_STRING,
makefun(&req_parseargs, APL_REQ_FUNTYPE_LUACFUN, p)); makefun(&req_parseargs, APL_REQ_FUNTYPE_LUACFUN, p));
apr_hash_set(dispatch, "parsebody", APR_HASH_KEY_STRING,
makefun(&req_parsebody, APL_REQ_FUNTYPE_LUACFUN, p));
apr_hash_set(dispatch, "debug", APR_HASH_KEY_STRING, apr_hash_set(dispatch, "debug", APR_HASH_KEY_STRING,
makefun(&req_debug, APL_REQ_FUNTYPE_LUACFUN, p)); makefun(&req_debug, APL_REQ_FUNTYPE_LUACFUN, p));
apr_hash_set(dispatch, "info", APR_HASH_KEY_STRING, apr_hash_set(dispatch, "info", APR_HASH_KEY_STRING,

2
modules/lua/mod_lua.c
View File

@@ -373,7 +373,7 @@ static const char *direct_chunkreader(lua_State *lvm, void *udata,
for (p = ctx->buf; isspace(*p); ++p); for (p = ctx->buf; isspace(*p); ++p);
if (p[0] == '<' && p[1] == '/') { if (p[0] == '<' && p[1] == '/') {
int i = 0; apr_size_t i = 0;
while (i < strlen(ctx->endstr)) { while (i < strlen(ctx->endstr)) {
if (tolower(p[i + 2]) != ctx->endstr[i]) if (tolower(p[i + 2]) != ctx->endstr[i])
return ctx->buf; return ctx->buf;

80
server/util_script.c
View File

@@ -760,83 +760,3 @@ AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table)
argstr_to_table(apr_pstrdup(r->pool, r->args), t); argstr_to_table(apr_pstrdup(r->pool, r->args), t);
*table = t; *table = t;
} }
AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table)
{
apr_bucket_brigade *bb;
apr_bucket_brigade *tmpbb;
apr_status_t rv = APR_SUCCESS;
if (r->body_table) {
*table = r->body_table;
return APR_SUCCESS;
}
*table = NULL;
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
tmpbb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
do {
apr_off_t len;
rv = ap_get_brigade(r->input_filters, tmpbb, AP_MODE_READBYTES,
APR_BLOCK_READ, AP_IOBUFSIZE);
if (rv) {
break;
}
rv = apr_brigade_length(tmpbb, 1, &len);
if (rv) {
break;
}
if (len == 0) {
break;
}
APR_BRIGADE_CONCAT(bb, tmpbb);
} while(1);
if (!rv) {
r->body_table = apr_table_make(r->pool, 10);
if (!APR_BRIGADE_EMPTY(bb)) {
char *buffer;
apr_off_t len;
apr_pool_t *tpool;
apr_pool_create(&tpool, r->pool);
rv = apr_brigade_length(bb, 1, &len);
if (!rv) {
apr_size_t total;
/* XXX where's our test that len fits in memory???
* theoretically can be a large file > ram space.
* need to cast len to apr_size_t but it would mask
* this notable mistake
*/
buffer = apr_palloc(tpool, len+1);
total = len+1;
rv = apr_brigade_flatten(bb, buffer, &total);
buffer[total] = '\0';
argstr_to_table(buffer, r->body_table);
}
apr_pool_destroy(tpool);
}
}
apr_brigade_destroy(bb);
apr_brigade_destroy(tmpbb);
*table = r->body_table;
return rv;
}