diff options
| author | Yann Ylavic <ylavic@apache.org> | 2020-06-01 17:40:03 +0200 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2020-06-01 17:40:03 +0200 |
| commit | 10342f684711600acafbadd8bd99b7f70185e21e (patch) | |
| tree | 05ede80adc954dcac0aaff6c3f8e2917388178d9 /modules/proxy/mod_proxy_http.c | |
| parent | util_filter: both directions for setaside/reinstate/adapt logging. (diff) | |
| download | apache2-10342f684711600acafbadd8bd99b7f70185e21e.tar.xz apache2-10342f684711600acafbadd8bd99b7f70185e21e.zip | |
mod_proxy_http: put request/response splitting checks under the same comment.
If stream_reqbody() detects a Content-Length vs bytes streamed mismatch it
means that a module's filter played bad games, such inconsistency on the client
connection would have been caught by ap_http_filter().
So move AH01087 logic to AH01086, under the same comment and log message, and
always return HTTP_INTERNAL_SERVER because the client is not the culprit here.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1878367 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
| -rw-r--r-- | modules/proxy/mod_proxy_http.c | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index a4be4ee336..8b93632341 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -364,20 +364,26 @@ static int stream_reqbody(proxy_http_req_t *req) } } else if (rb_method == RB_STREAM_CL - && bytes_streamed > req->cl_val) { - /* C-L < bytes streamed?!? - * We will error out after the body is completely - * consumed, but we can't stream more bytes at the - * back end since they would in part be interpreted - * as another request! If nothing is sent, then - * just send nothing. + && (bytes_streamed > req->cl_val + || (seen_eos && bytes_streamed < req->cl_val))) { + /* C-L != bytes streamed?!? * - * Prevents HTTP Response Splitting. + * Prevent HTTP Request/Response Splitting. + * + * We can't stream more (or less) bytes at the back end since + * they could be interpreted in separate requests (more bytes + * now would start a new request, less bytes would make the + * first bytes of the next request be part of the current one). + * + * It can't happen from the client connection here thanks to + * ap_http_filter(), but some module's filter may be playing + * bad games, hence the HTTP_INTERNAL_SERVER_ERROR. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01086) - "read more bytes of request body than expected " + "read %s bytes of request body than expected " "(got %" APR_OFF_T_FMT ", expected " "%" APR_OFF_T_FMT ")", + bytes_streamed > req->cl_val ? "more" : "less", bytes_streamed, req->cl_val); return HTTP_INTERNAL_SERVER_ERROR; } @@ -403,13 +409,6 @@ static int stream_reqbody(proxy_http_req_t *req) } } while (!seen_eos); - if (rb_method == RB_STREAM_CL && bytes_streamed != req->cl_val) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01087) - "client %s given Content-Length did not match" - " number of body bytes read", r->connection->client_ip); - return HTTP_BAD_REQUEST; - } - return OK; } |