Drop ap_body_to_table due to missing constraints; a DoS waiting

for an exploit. Some mod_lua fan aught to revisit this and provide a sensible implementation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@953203 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2010-06-10 03:02:07 +00:00
parent ed766d823a
commit 7716d3c3e3
5 changed files with 3 additions and 100 deletions
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -227,13 +227,13 @@
 *                         Introduce per-module loglevels
 * 20100606.1 (2.3.6-dev)  Added extended timestamp formatting via
 *                         ap_recent_ctime_ex().
- *
+ * 20100609.0 (2.3.6-dev)  Dropped ap_args_to_table due to missing constraints.
 */

 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */

 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100606
+#define MODULE_MAGIC_NUMBER_MAJOR 20100609
 #endif
 #define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */

--- a/include/util_script.h
+++ b/include/util_script.h
@@ -142,8 +142,6 @@ AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,

 AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);

-AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table);
-    
 #ifdef __cplusplus
 }
 #endif
--- a/modules/lua/lua_request.c
+++ b/modules/lua/lua_request.c
@@ -189,19 +189,6 @@ static int req_write(lua_State *L)
    return 0;
 }

-/* r:parsebody() */
-static int req_parsebody(lua_State *L)
-{
-    apr_table_t *form_table;
-    request_rec *r = ap_lua_check_request_rec(L, 1);
-    lua_newtable(L);
-    lua_newtable(L);
-    if (ap_body_to_table(r, &form_table) == APR_SUCCESS) {
-        apr_table_do(req_aprtable2luatable_cb, L, form_table, NULL);
-    }
-    return 2;
-}
-
 /* r:addoutputfilter(name|function) */
 static int req_add_output_filter(lua_State *L)
 {
@@ -538,8 +525,6 @@ AP_LUA_DECLARE(void) ap_lua_load_request_lmodule(lua_State *L, apr_pool_t *p)
                 makefun(&req_document_root, APL_REQ_FUNTYPE_STRING, p));
    apr_hash_set(dispatch, "parseargs", APR_HASH_KEY_STRING,
                 makefun(&req_parseargs, APL_REQ_FUNTYPE_LUACFUN, p));
-    apr_hash_set(dispatch, "parsebody", APR_HASH_KEY_STRING,
-                 makefun(&req_parsebody, APL_REQ_FUNTYPE_LUACFUN, p));
    apr_hash_set(dispatch, "debug", APR_HASH_KEY_STRING,
                 makefun(&req_debug, APL_REQ_FUNTYPE_LUACFUN, p));
    apr_hash_set(dispatch, "info", APR_HASH_KEY_STRING,
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -373,7 +373,7 @@ static const char *direct_chunkreader(lua_State *lvm, void *udata,

    for (p = ctx->buf; isspace(*p); ++p);
    if (p[0] == '<' && p[1] == '/') {
-        int i = 0;
+        apr_size_t i = 0;
        while (i < strlen(ctx->endstr)) {
            if (tolower(p[i + 2]) != ctx->endstr[i])
                return ctx->buf;
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -760,83 +760,3 @@ AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table)
    argstr_to_table(apr_pstrdup(r->pool, r->args), t);
    *table = t;
 }
-
-AP_DECLARE(apr_status_t) ap_body_to_table(request_rec *r, apr_table_t **table)
-{
-    apr_bucket_brigade *bb;
-    apr_bucket_brigade *tmpbb;
-    apr_status_t rv = APR_SUCCESS;
-
-    if (r->body_table) {
-        *table = r->body_table;
-        return APR_SUCCESS;
-    }
-    
-    *table = NULL;
-
-    bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
-    tmpbb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
-
-    do {
-        apr_off_t len;
-
-        rv = ap_get_brigade(r->input_filters, tmpbb, AP_MODE_READBYTES,
-                            APR_BLOCK_READ, AP_IOBUFSIZE);
-        if (rv) {
-            break;
-        }
-
-        rv = apr_brigade_length(tmpbb, 1, &len);
-        if (rv) {
-            break;
-        }
-        
-        if (len == 0) {
-            break;
-        }
-
-        APR_BRIGADE_CONCAT(bb, tmpbb);
-    } while(1);
-
-    if (!rv) {
-        r->body_table = apr_table_make(r->pool, 10);
-        
-        if (!APR_BRIGADE_EMPTY(bb)) {
-            char *buffer;
-            apr_off_t len;
-            apr_pool_t *tpool;
-
-            apr_pool_create(&tpool, r->pool);
-            
-            rv = apr_brigade_length(bb, 1, &len);
-
-            if (!rv) {
-                apr_size_t total;
-                /* XXX where's our test that len fits in memory??? 
-                 * theoretically can be a large file > ram space.
-                 * need to cast len to apr_size_t but it would mask
-                 * this notable mistake
-                 */
-                buffer = apr_palloc(tpool, len+1);
-                
-                total = len+1;
-
-                rv = apr_brigade_flatten(bb, buffer, &total);
-
-                buffer[total] = '\0';
-
-                argstr_to_table(buffer, r->body_table);
-            }
-            apr_pool_destroy(tpool);
-        }
-    }
-
-    apr_brigade_destroy(bb);
-    apr_brigade_destroy(tmpbb);
-
-    *table = r->body_table;
-
-    return rv;
-}
-
-