diff options
Diffstat (limited to 'debian/patches/CVE-2022-29404.patch')
| -rw-r--r-- | debian/patches/CVE-2022-29404.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/debian/patches/CVE-2022-29404.patch b/debian/patches/CVE-2022-29404.patch new file mode 100644 index 0000000..259e920 --- /dev/null +++ b/debian/patches/CVE-2022-29404.patch @@ -0,0 +1,82 @@ +From ce259c4061905bf834f9af51c92456cfe8335ddc Mon Sep 17 00:00:00 2001 +From: Eric Covener <covener@apache.org> +Date: Wed, 1 Jun 2022 12:31:48 +0000 +Subject: [PATCH] Merge r1901497 from trunk: + +use a liberal default limit for LimitRequestBody of 1GB + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901499 13f79535-47bb-0310-9956-ffa450edef68 +Origin: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc +--- + modules/http/http_filters.c | 6 ++++++ + modules/proxy/mod_proxy_http.c | 14 -------------- + server/core.c | 2 +- + 3 files changed, 7 insertions(+), 15 deletions(-) + +--- a/modules/http/http_filters.c ++++ b/modules/http/http_filters.c +@@ -1657,6 +1657,7 @@ + { + const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); + const char *lenp = apr_table_get(r->headers_in, "Content-Length"); ++ apr_off_t limit_req_body = ap_get_limit_req_body(r); + + r->read_body = read_policy; + r->read_chunked = 0; +@@ -1695,6 +1696,11 @@ + return HTTP_REQUEST_ENTITY_TOO_LARGE; + } + ++ if (limit_req_body > 0 && (r->remaining > limit_req_body)) { ++ /* will be logged when the body is discarded */ ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; ++ } ++ + #ifdef AP_DEBUG + { + /* Make sure ap_getline() didn't leave any droppings. */ +--- a/server/core.c ++++ b/server/core.c +@@ -61,7 +61,7 @@ + + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) +-#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) ++#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ + + /* LimitXMLRequestBody handling */ + #define AP_LIMIT_UNSET ((long) -1) +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -512,12 +512,9 @@ + apr_bucket *e; + apr_off_t bytes, bytes_spooled = 0, fsize = 0; + apr_file_t *tmpfile = NULL; +- apr_off_t limit; + + body_brigade = apr_brigade_create(p, bucket_alloc); + +- limit = ap_get_limit_req_body(r); +- + while (!APR_BUCKET_IS_EOS(APR_BRIGADE_FIRST(input_brigade))) + { + /* If this brigade contains EOS, either stop or remove it. */ +@@ -532,17 +529,6 @@ + apr_brigade_length(input_brigade, 1, &bytes); + + if (bytes_spooled + bytes > MAX_MEM_SPOOL) { +- /* +- * LimitRequestBody does not affect Proxy requests (Should it?). +- * Let it take effect if we decide to store the body in a +- * temporary file on disk. +- */ +- if (limit && (bytes_spooled + bytes > limit)) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088) +- "Request body is larger than the configured " +- "limit of %" APR_OFF_T_FMT, limit); +- return HTTP_REQUEST_ENTITY_TOO_LARGE; +- } + /* can't spool any more in memory; write latest brigade to disk */ + if (tmpfile == NULL) { + const char *temp_dir; |