rpms / httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.53-CVE-2022-29404.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.4 c8-sig-artwork c8-stream-2.4 c8s-stream-2.4 c9 c9-beta
  1.   57e3a1c6653806fa3b27383115427cb10a1479b9
  2.   SOURCES
  3.   httpd-2.4.53-CVE-2022-29404.patch
Blob History Raw
ebde72 
diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en
ebde72 
index bb6b90a..d14aed4 100644
ebde72 
--- a/docs/manual/mod/core.html.en
ebde72 
+++ b/docs/manual/mod/core.html.en
ebde72 
@@ -2796,16 +2796,16 @@ subrequests
ebde72 
 Description:Restricts the total size of the HTTP request body sent
ebde72 
 from the client
ebde72 
 Syntax:LimitRequestBody bytes
ebde72 
-Default:LimitRequestBody 0
ebde72 
+Default:LimitRequestBody 1073741824
ebde72 
 Context:server config, virtual host, directory, .htaccess
ebde72 
 Override:All
ebde72 
 Status:Core
ebde72 
 Module:core
ebde72 
+Compatibility:In Apache HTTP Server 2.4.53 and earlier, the default value
ebde72 
+    was 0 (unlimited)
ebde72
ebde72 
-    
This directive specifies the number of bytes from 0
ebde72 
-    (meaning unlimited) to 2147483647 (2GB) that are allowed in a
ebde72 
-    request body. See the note below for the limited applicability
ebde72 
-    to proxy requests.
ebde72 
+    
This directive specifies the number of bytes
ebde72 
+    that are allowed in a request body. A value of 0 means unlimited.
ebde72
ebde72 
     
The LimitRequestBody directive allows
ebde72 
     the user to set a limit on the allowed size of an HTTP request
ebde72 
@@ -2831,12 +2831,6 @@ from the client
ebde72
ebde72 
     
LimitRequestBody 102400
ebde72
ebde72 
-
ebde72 
-    
For a full description of how this directive is interpreted by
ebde72 
-    proxy requests, see the mod_proxy documentation.
ebde72 
-
ebde72 
-
ebde72 
-
ebde72
ebde72 
 
top
ebde72 
 
LimitRequestFields Directive
ebde72 
diff --git a/docs/manual/mod/mod_proxy.html.en b/docs/manual/mod/mod_proxy.html.en
ebde72 
index ee7b1e3..233d234 100644
ebde72 
--- a/docs/manual/mod/mod_proxy.html.en
ebde72 
+++ b/docs/manual/mod/mod_proxy.html.en
ebde72 
@@ -463,9 +463,6 @@ ProxyPass "/examples" "http://backend.example.com/examples" timeout=10
ebde72 
     Content-Length header, but the server is configured to filter incoming
ebde72 
     request bodies.
ebde72
ebde72 
-    
LimitRequestBody only applies to
ebde72 
-    request bodies that the server will spool to disk
ebde72 
-
ebde72 
     
top
ebde72
ebde72 
 
Reverse Proxy Request Headers
ebde72 
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
ebde72 
index 43e8c6d..33c78f3 100644
ebde72 
--- a/modules/http/http_filters.c
ebde72 
+++ b/modules/http/http_filters.c
ebde72 
@@ -1703,6 +1703,7 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
ebde72 
 {
ebde72 
     const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
ebde72 
     const char *lenp = apr_table_get(r->headers_in, "Content-Length");
ebde72 
+    apr_off_t limit_req_body = ap_get_limit_req_body(r);
ebde72
ebde72 
     r->read_body = read_policy;
ebde72 
     r->read_chunked = 0;
ebde72 
@@ -1738,6 +1739,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
ebde72 
         return HTTP_REQUEST_ENTITY_TOO_LARGE;
ebde72 
     }
ebde72
ebde72 
+    if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
ebde72 
+        /* will be logged when the body is discarded */
ebde72 
+        return HTTP_REQUEST_ENTITY_TOO_LARGE;
ebde72 
+    }
ebde72 
+
ebde72 
 #ifdef AP_DEBUG
ebde72 
     {
ebde72 
         /* Make sure ap_getline() didn't leave any droppings. */
ebde72 
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
ebde72 
index bc86253..85f2f9c 100644
ebde72 
--- a/modules/proxy/proxy_util.c
ebde72 
+++ b/modules/proxy/proxy_util.c
ebde72 
@@ -4260,13 +4260,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
ebde72 
     apr_bucket *e;
ebde72 
     apr_off_t bytes, fsize = 0;
ebde72 
     apr_file_t *tmpfile = NULL;
ebde72 
-    apr_off_t limit;
ebde72
ebde72 
     *bytes_spooled = 0;
ebde72 
     body_brigade = apr_brigade_create(p, bucket_alloc);
ebde72
ebde72 
-    limit = ap_get_limit_req_body(r);
ebde72 
-
ebde72 
     do {
ebde72 
         if (APR_BRIGADE_EMPTY(input_brigade)) {
ebde72 
             rv = ap_proxy_read_input(r, backend, input_brigade,
ebde72 
@@ -4284,17 +4281,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
ebde72 
         apr_brigade_length(input_brigade, 1, &bytes);
ebde72
ebde72 
         if (*bytes_spooled + bytes > max_mem_spool) {
ebde72 
-            /*
ebde72 
-             * LimitRequestBody does not affect Proxy requests (Should it?).
ebde72 
-             * Let it take effect if we decide to store the body in a
ebde72 
-             * temporary file on disk.
ebde72 
-             */
ebde72 
-            if (limit && (*bytes_spooled + bytes > limit)) {
ebde72 
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
ebde72 
-                              "Request body is larger than the configured "
ebde72 
-                              "limit of %" APR_OFF_T_FMT, limit);
ebde72 
-                return HTTP_REQUEST_ENTITY_TOO_LARGE;
ebde72 
-            }
ebde72 
             /* can't spool any more in memory; write latest brigade to disk */
ebde72 
             if (tmpfile == NULL) {
ebde72 
                 const char *temp_dir;
ebde72 
diff --git a/server/core.c b/server/core.c
ebde72 
index 3d44e0e..682259f 100644
ebde72 
--- a/server/core.c
ebde72 
+++ b/server/core.c
ebde72 
@@ -71,7 +71,7 @@
ebde72
ebde72 
 /* LimitRequestBody handling */
ebde72 
 #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
ebde72 
-#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
ebde72 
+#define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 1<<30) /* 1GB */
ebde72
ebde72 
 /* LimitXMLRequestBody handling */
ebde72 
 #define AP_LIMIT_UNSET                  ((long) -1)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation