summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2022-22721.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2022-22721.patch')
-rw-r--r--debian/patches/CVE-2022-22721.patch116
1 files changed, 0 insertions, 116 deletions
diff --git a/debian/patches/CVE-2022-22721.patch b/debian/patches/CVE-2022-22721.patch
deleted file mode 100644
index 2f607aa..0000000
--- a/debian/patches/CVE-2022-22721.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001
-From: Yann Ylavic <ylavic@apache.org>
-Date: Mon, 7 Mar 2022 14:48:54 +0000
-Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in
- system memory.
-
-LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
-body without failing to allocate memory, so enforce this at load time based
-on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
-
-Document the limits for LimitXMLRequestBody in our docs.
-
-
-Merge r1898686 from trunk.
-Submitted by: ylavic, rpluem
-Reviewed by: ylavic, covener, rpluem
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68
----
- changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++
- docs/manual/mod/core.xml | 12 +++++++++---
- server/core.c | 9 +++++++++
- server/util.c | 8 ++++++--
- server/util_xml.c | 2 +-
- 5 files changed, 27 insertions(+), 6 deletions(-)
- create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff
-
-diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
-new file mode 100644
-index 0000000000..07fef3c624
---- /dev/null
-+++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
-@@ -0,0 +1,2 @@
-+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
-+ [Ruediger Pluem, Yann Ylavic]
-\ No newline at end of file
-diff --git a/server/core.c b/server/core.c
-index 798212b480..090e397642 100644
---- a/server/core.c
-+++ b/server/core.c
-@@ -72,6 +72,8 @@
- /* LimitXMLRequestBody handling */
- #define AP_LIMIT_UNSET ((long) -1)
- #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
-+/* Hard limit for ap_escape_html2() */
-+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
-
- #define AP_MIN_SENDFILE_BYTES (256)
-
-@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_,
- if (conf->limit_xml_body < 0)
- return "LimitXMLRequestBody requires a non-negative integer.";
-
-+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
-+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
-+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
-+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
-+
- return NULL;
- }
-
-@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r)
- conf = ap_get_core_module_config(r->per_dir_config);
- if (conf->limit_xml_body == AP_LIMIT_UNSET)
- return AP_DEFAULT_LIMIT_XML_BODY;
-+ if (conf->limit_xml_body == 0)
-+ return AP_MAX_LIMIT_XML_BODY;
-
- return (apr_size_t)conf->limit_xml_body;
- }
-diff --git a/server/util.c b/server/util.c
-index 6cfe0035c4..604be1a1ce 100644
---- a/server/util.c
-+++ b/server/util.c
-@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer)
-
- AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
- {
-- int i, j;
-+ apr_size_t i, j;
- char *x;
-
- /* first, count the number of extra characters */
-- for (i = 0, j = 0; s[i] != '\0'; i++)
-+ for (i = 0, j = 0; s[i] != '\0'; i++) {
-+ if (i + j > APR_SIZE_MAX - 6) {
-+ abort();
-+ }
- if (s[i] == '<' || s[i] == '>')
- j += 3;
- else if (s[i] == '&')
-@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
- j += 5;
- else if (toasc && !apr_isascii(s[i]))
- j += 5;
-+ }
-
- if (j == 0)
- return apr_pstrmemdup(p, s, i);
-diff --git a/server/util_xml.c b/server/util_xml.c
-index 4845194656..22806fa8a4 100644
---- a/server/util_xml.c
-+++ b/server/util_xml.c
-@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc)
- }
-
- total_read += len;
-- if (limit_xml_body && total_read > limit_xml_body) {
-+ if (total_read > limit_xml_body) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
- "XML request body is larger than the configured "
- "limit of %lu", (unsigned long)limit_xml_body);
---
-2.30.2
-