diff options
Diffstat (limited to 'debian/patches/CVE-2022-22721.patch')
-rw-r--r-- | debian/patches/CVE-2022-22721.patch | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/debian/patches/CVE-2022-22721.patch b/debian/patches/CVE-2022-22721.patch deleted file mode 100644 index 2f607aa..0000000 --- a/debian/patches/CVE-2022-22721.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic <ylavic@apache.org> -Date: Mon, 7 Mar 2022 14:48:54 +0000 -Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in - system memory. - -LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the -body without failing to allocate memory, so enforce this at load time based -on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds. - -Document the limits for LimitXMLRequestBody in our docs. - - -Merge r1898686 from trunk. -Submitted by: ylavic, rpluem -Reviewed by: ylavic, covener, rpluem - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++ - docs/manual/mod/core.xml | 12 +++++++++--- - server/core.c | 9 +++++++++ - server/util.c | 8 ++++++-- - server/util_xml.c | 2 +- - 5 files changed, 27 insertions(+), 6 deletions(-) - create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff - -diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -new file mode 100644 -index 0000000000..07fef3c624 ---- /dev/null -+++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff -@@ -0,0 +1,2 @@ -+ *) core: Make sure and check that LimitXMLRequestBody fits in system memory. -+ [Ruediger Pluem, Yann Ylavic] -\ No newline at end of file -diff --git a/server/core.c b/server/core.c -index 798212b480..090e397642 100644 ---- a/server/core.c -+++ b/server/core.c -@@ -72,6 +72,8 @@ - /* LimitXMLRequestBody handling */ - #define AP_LIMIT_UNSET ((long) -1) - #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000) -+/* Hard limit for ap_escape_html2() */ -+#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1)) - - #define AP_MIN_SENDFILE_BYTES (256) - -@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_, - if (conf->limit_xml_body < 0) - return "LimitXMLRequestBody requires a non-negative integer."; - -+ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */ -+ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY) -+ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed " -+ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY); -+ - return NULL; - } - -@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r) - conf = ap_get_core_module_config(r->per_dir_config); - if (conf->limit_xml_body == AP_LIMIT_UNSET) - return AP_DEFAULT_LIMIT_XML_BODY; -+ if (conf->limit_xml_body == 0) -+ return AP_MAX_LIMIT_XML_BODY; - - return (apr_size_t)conf->limit_xml_body; - } -diff --git a/server/util.c b/server/util.c -index 6cfe0035c4..604be1a1ce 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer) - - AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - { -- int i, j; -+ apr_size_t i, j; - char *x; - - /* first, count the number of extra characters */ -- for (i = 0, j = 0; s[i] != '\0'; i++) -+ for (i = 0, j = 0; s[i] != '\0'; i++) { -+ if (i + j > APR_SIZE_MAX - 6) { -+ abort(); -+ } - if (s[i] == '<' || s[i] == '>') - j += 3; - else if (s[i] == '&') -@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) - j += 5; - else if (toasc && !apr_isascii(s[i])) - j += 5; -+ } - - if (j == 0) - return apr_pstrmemdup(p, s, i); -diff --git a/server/util_xml.c b/server/util_xml.c -index 4845194656..22806fa8a4 100644 ---- a/server/util_xml.c -+++ b/server/util_xml.c -@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc) - } - - total_read += len; -- if (limit_xml_body && total_read > limit_xml_body) { -+ if (total_read > limit_xml_body) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539) - "XML request body is larger than the configured " - "limit of %lu", (unsigned long)limit_xml_body); --- -2.30.2 - |