VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-16 17:04:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Limit length of lines in .htaccess to 8K again, to reduce DoS potential.

Browse Source 
Make ap_varbuf_cfg_getline() strictly enforce the max_len parameter.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1213338 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Fritsch
2011-12-12 17:50:33 +00:00
parent e0a5a7882e
commit 91ce790cd3
5 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/manual/configuring.xml
View File

@ -96,6 +96,11 @@ Server.</p>
module="mod_env">SetEnv</directive>, take effect too late to be used for module="mod_env">SetEnv</directive>, take effect too late to be used for
expansions in the configuration file.</p> expansions in the configuration file.</p>
<p>The maximum length of a line in normal configuration files, after
variable substitution and joining any continued lines, is approximately
16 MiB. In <a href="configuring.xml#htaccess">.htaccess files</a>, the
maximum length is 8190 characters.</p>
<p>You can check your configuration files for syntax errors <p>You can check your configuration files for syntax errors
without starting the server by using <code>apachectl without starting the server by using <code>apachectl
configtest</code> or the <code>-t</code> command line configtest</code> or the <code>-t</code> command line

6
include/http_config.h
View File

@ -818,6 +818,8 @@ AP_DECLARE(const char *) ap_pcfg_strerror(apr_pool_t *p, ap_configfile_t *cfp,
* @param cmd The cmd_parms to pass to the directives inside the container * @param cmd The cmd_parms to pass to the directives inside the container
* @param directive The directive name to read until * @param directive The directive name to read until
* @return Error string on failure, NULL on success * @return Error string on failure, NULL on success
* @note If cmd->pool == cmd->temp_pool, ap_soak_end_container() will assume
* .htaccess context and use a lower maximum line length.
*/ */
AP_DECLARE(const char *) ap_soak_end_container(cmd_parms *cmd, char *directive); AP_DECLARE(const char *) ap_soak_end_container(cmd_parms *cmd, char *directive);
@ -831,6 +833,8 @@ AP_DECLARE(const char *) ap_soak_end_container(cmd_parms *cmd, char *directive);
* @param curr_parent The current parent node * @param curr_parent The current parent node
* @param orig_directive The directive to read until hit. * @param orig_directive The directive to read until hit.
* @return Error string on failure, NULL on success * @return Error string on failure, NULL on success
* @note If p == temp_pool, ap_build_cont_config() will assume .htaccess
* context and use a lower maximum line length.
*/ */
AP_DECLARE(const char *) ap_build_cont_config(apr_pool_t *p, AP_DECLARE(const char *) ap_build_cont_config(apr_pool_t *p,
apr_pool_t *temp_pool, apr_pool_t *temp_pool,
@ -846,6 +850,8 @@ AP_DECLARE(const char *) ap_build_cont_config(apr_pool_t *p,
* @param temp_pool The temporary pool * @param temp_pool The temporary pool
* @param conftree Place to store the root node of the config tree * @param conftree Place to store the root node of the config tree
* @return Error string on erro, NULL otherwise * @return Error string on erro, NULL otherwise
* @note If conf_pool == temp_pool, ap_build_config() will assume .htaccess
* context and use a lower maximum line length.
*/ */
AP_DECLARE(const char *) ap_build_config(cmd_parms *parms, AP_DECLARE(const char *) ap_build_config(cmd_parms *parms,
apr_pool_t *conf_pool, apr_pool_t *conf_pool,

4
include/util_varbuf.h
View File

@ -151,10 +151,8 @@ AP_DECLARE(apr_status_t) ap_varbuf_regsub(struct ap_varbuf *vb,
/** Read a line from an ap_configfile_t into an ap_varbuf. /** Read a line from an ap_configfile_t into an ap_varbuf.
* @param vb pointer to the ap_varbuf struct * @param vb pointer to the ap_varbuf struct
* @param cfg pointer to the ap_configfile_t * @param cfg pointer to the ap_configfile_t
* @param max_len (soft) limit for the size of the buffer * @param max_len maximum line length, including leading/trailing whitespace
* @return see ap_cfg_getline() * @return see ap_cfg_getline()
* @note The buffer will not be grown once it has reached at least max_len
* bytes. This means that the returned line can be longer than max_len.
* @note vb->strlen will be set to the length of the line * @note vb->strlen will be set to the length of the line
*/ */
AP_DECLARE(apr_status_t) ap_varbuf_cfg_getline(struct ap_varbuf *vb, AP_DECLARE(apr_status_t) ap_varbuf_cfg_getline(struct ap_varbuf *vb,

15
server/config.c
View File

@ -1202,11 +1202,14 @@ AP_DECLARE(const char *) ap_build_cont_config(apr_pool_t *p,
ap_directive_t *sub_tree = NULL; ap_directive_t *sub_tree = NULL;
apr_status_t rc; apr_status_t rc;
struct ap_varbuf vb; struct ap_varbuf vb;
apr_size_t max_len = VARBUF_MAX_LEN;
if (p == temp_pool)
max_len = HUGE_STRING_LEN; /* lower limit for .htaccess */
bracket = apr_pstrcat(temp_pool, orig_directive + 1, ">", NULL); bracket = apr_pstrcat(temp_pool, orig_directive + 1, ">", NULL);
ap_varbuf_init(temp_pool, &vb, VARBUF_INIT_LEN); ap_varbuf_init(temp_pool, &vb, VARBUF_INIT_LEN);
while ((rc = ap_varbuf_cfg_getline(&vb, parms->config_file, VARBUF_MAX_LEN)) while ((rc = ap_varbuf_cfg_getline(&vb, parms->config_file, max_len))
== APR_SUCCESS) { == APR_SUCCESS) {
if (!memcmp(vb.buf, "</", 2) if (!memcmp(vb.buf, "</", 2)
&& (strcasecmp(vb.buf + 2, bracket) == 0) && (strcasecmp(vb.buf + 2, bracket) == 0)
@ -1324,6 +1327,9 @@ AP_DECLARE(const char *) ap_build_config(cmd_parms *parms,
ap_directive_t **last_ptr = NULL; ap_directive_t **last_ptr = NULL;
apr_status_t rc; apr_status_t rc;
struct ap_varbuf vb; struct ap_varbuf vb;
apr_size_t max_len = VARBUF_MAX_LEN;
if (p == temp_pool)
max_len = HUGE_STRING_LEN; /* lower limit for .htaccess */
ap_varbuf_init(temp_pool, &vb, VARBUF_INIT_LEN); ap_varbuf_init(temp_pool, &vb, VARBUF_INIT_LEN);
@ -1349,7 +1355,7 @@ AP_DECLARE(const char *) ap_build_config(cmd_parms *parms,
} }
} }
while ((rc = ap_varbuf_cfg_getline(&vb, parms->config_file, VARBUF_MAX_LEN)) while ((rc = ap_varbuf_cfg_getline(&vb, parms->config_file, max_len))
== APR_SUCCESS) { == APR_SUCCESS) {
errmsg = ap_build_config_sub(p, temp_pool, vb.buf, parms, errmsg = ap_build_config_sub(p, temp_pool, vb.buf, parms,
&current, &curr_parent, conftree); &current, &curr_parent, conftree);
@ -1540,10 +1546,13 @@ AP_DECLARE(const char *) ap_soak_end_container(cmd_parms *cmd, char *directive)
const char *args; const char *args;
char *cmd_name; char *cmd_name;
apr_status_t rc; apr_status_t rc;
apr_size_t max_len = VARBUF_MAX_LEN;
if (cmd->pool == cmd->temp_pool)
max_len = HUGE_STRING_LEN; /* lower limit for .htaccess */
ap_varbuf_init(cmd->temp_pool, &vb, VARBUF_INIT_LEN); ap_varbuf_init(cmd->temp_pool, &vb, VARBUF_INIT_LEN);
while((rc = ap_varbuf_cfg_getline(&vb, cmd->config_file, VARBUF_MAX_LEN)) while((rc = ap_varbuf_cfg_getline(&vb, cmd->config_file, max_len))
== APR_SUCCESS) { == APR_SUCCESS) {
#if RESOLVE_ENV_PER_TOKEN #if RESOLVE_ENV_PER_TOKEN
args = vb.buf; args = vb.buf;

2
server/util.c
View File

@ -1112,6 +1112,8 @@ AP_DECLARE(apr_status_t) ap_varbuf_cfg_getline(struct ap_varbuf *vb,
ap_varbuf_grow(vb, new_len); ap_varbuf_grow(vb, new_len);
--cfp->line_number; --cfp->line_number;
} }
if (vb->strlen > max_len)
return APR_ENOSPC;
if (rc == APR_SUCCESS) if (rc == APR_SUCCESS)
vb->strlen = cfg_trim_line(vb->buf); vb->strlen = cfg_trim_line(vb->buf);
return rc; return rc;