|
|
17bfed |
diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en
|
|
|
17bfed |
index 20d1e5a..e1ec8d0 100644
|
|
|
17bfed |
--- a/docs/manual/mod/core.html.en
|
|
|
17bfed |
+++ b/docs/manual/mod/core.html.en
|
|
|
17bfed |
@@ -2935,12 +2935,19 @@ from the client
|
|
|
17bfed |
Status:Core
|
|
|
17bfed |
Module:core
|
|
|
17bfed |
|
|
|
17bfed |
- Limit (in bytes) on maximum size of an XML-based request
|
|
|
17bfed |
- body. A value of 0 will disable any checking.
|
|
|
17bfed |
+ Limit (in bytes) on the maximum size of an XML-based request
|
|
|
17bfed |
+ body. A value of 0 will apply a hard limit (depending on
|
|
|
17bfed |
+ 32bit vs 64bit system) allowing for XML escaping within the bounds of
|
|
|
17bfed |
+ the system addressable memory, but it exists for compatibility only
|
|
|
17bfed |
+ and is not recommended since it does not account for memory consumed
|
|
|
17bfed |
+ elsewhere or concurrent requests, which might result in an overall
|
|
|
17bfed |
+ system out-of-memory.
|
|
|
17bfed |
+
|
|
|
17bfed |
|
|
|
17bfed |
Example:
|
|
|
17bfed |
|
|
|
17bfed |
- LimitXMLRequestBody 0
|
|
|
17bfed |
+ # Limit of 1 MiB
|
|
|
17bfed |
+ LimitXMLRequestBody 1073741824
|
|
|
17bfed |
|
|
|
17bfed |
|
|
|
17bfed |
|
|
|
17bfed |
diff --git a/server/core.c b/server/core.c
|
|
|
17bfed |
index e32613d..8abfa65 100644
|
|
|
17bfed |
--- a/server/core.c
|
|
|
17bfed |
+++ b/server/core.c
|
|
|
17bfed |
@@ -70,6 +70,8 @@
|
|
|
17bfed |
/* LimitXMLRequestBody handling */
|
|
|
17bfed |
#define AP_LIMIT_UNSET ((long) -1)
|
|
|
17bfed |
#define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
|
|
|
17bfed |
+/* Hard limit for ap_escape_html2() */
|
|
|
17bfed |
+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
|
|
|
17bfed |
|
|
|
17bfed |
#define AP_MIN_SENDFILE_BYTES (256)
|
|
|
17bfed |
|
|
|
17bfed |
@@ -3689,6 +3691,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_,
|
|
|
17bfed |
if (conf->limit_xml_body < 0)
|
|
|
17bfed |
return "LimitXMLRequestBody requires a non-negative integer.";
|
|
|
17bfed |
|
|
|
17bfed |
+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
|
|
|
17bfed |
+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
|
|
|
17bfed |
+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
|
|
|
17bfed |
+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
|
|
|
17bfed |
+
|
|
|
17bfed |
return NULL;
|
|
|
17bfed |
}
|
|
|
17bfed |
|
|
|
17bfed |
@@ -3777,6 +3784,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r)
|
|
|
17bfed |
conf = ap_get_core_module_config(r->per_dir_config);
|
|
|
17bfed |
if (conf->limit_xml_body == AP_LIMIT_UNSET)
|
|
|
17bfed |
return AP_DEFAULT_LIMIT_XML_BODY;
|
|
|
17bfed |
+ if (conf->limit_xml_body == 0)
|
|
|
17bfed |
+ return AP_MAX_LIMIT_XML_BODY;
|
|
|
17bfed |
|
|
|
17bfed |
return (apr_size_t)conf->limit_xml_body;
|
|
|
17bfed |
}
|
|
|
17bfed |
diff --git a/server/util.c b/server/util.c
|
|
|
17bfed |
index 2a5dd04..eefdafa 100644
|
|
|
17bfed |
--- a/server/util.c
|
|
|
17bfed |
+++ b/server/util.c
|
|
|
17bfed |
@@ -2037,11 +2037,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer)
|
|
|
17bfed |
|
|
|
17bfed |
AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
|
|
|
17bfed |
{
|
|
|
17bfed |
- int i, j;
|
|
|
17bfed |
+ apr_size_t i, j;
|
|
|
17bfed |
char *x;
|
|
|
17bfed |
|
|
|
17bfed |
/* first, count the number of extra characters */
|
|
|
17bfed |
- for (i = 0, j = 0; s[i] != '\0'; i++)
|
|
|
17bfed |
+ for (i = 0, j = 0; s[i] != '\0'; i++) {
|
|
|
17bfed |
+ if (i + j > APR_SIZE_MAX - 6) {
|
|
|
17bfed |
+ abort();
|
|
|
17bfed |
+ }
|
|
|
17bfed |
if (s[i] == '<' || s[i] == '>')
|
|
|
17bfed |
j += 3;
|
|
|
17bfed |
else if (s[i] == '&')
|
|
|
17bfed |
@@ -2050,6 +2053,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
|
|
|
17bfed |
j += 5;
|
|
|
17bfed |
else if (toasc && !apr_isascii(s[i]))
|
|
|
17bfed |
j += 5;
|
|
|
17bfed |
+ }
|
|
|
17bfed |
|
|
|
17bfed |
if (j == 0)
|
|
|
17bfed |
return apr_pstrmemdup(p, s, i);
|
|
|
17bfed |
diff --git a/server/util_xml.c b/server/util_xml.c
|
|
|
17bfed |
index 4845194..22806fa 100644
|
|
|
17bfed |
--- a/server/util_xml.c
|
|
|
17bfed |
+++ b/server/util_xml.c
|
|
|
17bfed |
@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc)
|
|
|
17bfed |
}
|
|
|
17bfed |
|
|
|
17bfed |
total_read += len;
|
|
|
17bfed |
- if (limit_xml_body && total_read > limit_xml_body) {
|
|
|
17bfed |
+ if (total_read > limit_xml_body) {
|
|
|
17bfed |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
|
|
|
17bfed |
"XML request body is larger than the configured "
|
|
|
17bfed |
"limit of %lu", (unsigned long)limit_xml_body);
|