summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-29404.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:07 +0000
commit1221c736f9a90756d47ea6d28320b6b83602dd2a (patch)
treeb453ba7b1393205258c9b098a773b4330984672f /debian/patches/CVE-2022-29404.patch
parentAdding upstream version 2.4.38. (diff)
downloadapache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.tar.xz
apache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.zip
Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/CVE-2022-29404.patch')
-rw-r--r--debian/patches/CVE-2022-29404.patch82
1 files changed, 82 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-29404.patch b/debian/patches/CVE-2022-29404.patch
new file mode 100644
index 0000000..259e920
--- /dev/null
+++ b/debian/patches/CVE-2022-29404.patch
@@ -0,0 +1,82 @@
+From ce259c4061905bf834f9af51c92456cfe8335ddc Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:31:48 +0000
+Subject: [PATCH] Merge r1901497 from trunk:
+
+use a liberal default limit for LimitRequestBody of 1GB
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901499 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc
+---
+ modules/http/http_filters.c | 6 ++++++
+ modules/proxy/mod_proxy_http.c | 14 --------------
+ server/core.c | 2 +-
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1657,6 +1657,7 @@
+ {
+ const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+ const char *lenp = apr_table_get(r->headers_in, "Content-Length");
++ apr_off_t limit_req_body = ap_get_limit_req_body(r);
+
+ r->read_body = read_policy;
+ r->read_chunked = 0;
+@@ -1695,6 +1696,11 @@
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
++ if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
++ /* will be logged when the body is discarded */
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
++ }
++
+ #ifdef AP_DEBUG
+ {
+ /* Make sure ap_getline() didn't leave any droppings. */
+--- a/server/core.c
++++ b/server/core.c
+@@ -61,7 +61,7 @@
+
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
+-#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
++#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
+
+ /* LimitXMLRequestBody handling */
+ #define AP_LIMIT_UNSET ((long) -1)
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -512,12 +512,9 @@
+ apr_bucket *e;
+ apr_off_t bytes, bytes_spooled = 0, fsize = 0;
+ apr_file_t *tmpfile = NULL;
+- apr_off_t limit;
+
+ body_brigade = apr_brigade_create(p, bucket_alloc);
+
+- limit = ap_get_limit_req_body(r);
+-
+ while (!APR_BUCKET_IS_EOS(APR_BRIGADE_FIRST(input_brigade)))
+ {
+ /* If this brigade contains EOS, either stop or remove it. */
+@@ -532,17 +529,6 @@
+ apr_brigade_length(input_brigade, 1, &bytes);
+
+ if (bytes_spooled + bytes > MAX_MEM_SPOOL) {
+- /*
+- * LimitRequestBody does not affect Proxy requests (Should it?).
+- * Let it take effect if we decide to store the body in a
+- * temporary file on disk.
+- */
+- if (limit && (bytes_spooled + bytes > limit)) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
+- "Request body is larger than the configured "
+- "limit of %" APR_OFF_T_FMT, limit);
+- return HTTP_REQUEST_ENTITY_TOO_LARGE;
+- }
+ /* can't spool any more in memory; write latest brigade to disk */
+ if (tmpfile == NULL) {
+ const char *temp_dir;