Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E8ABCCB9B for ; Thu, 27 Jun 2013 16:29:59 +0000 (UTC) Received: (qmail 76186 invoked by uid 500); 27 Jun 2013 16:29:59 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 76137 invoked by uid 500); 27 Jun 2013 16:29:59 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 76130 invoked by uid 99); 27 Jun 2013 16:29:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 16:29:59 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Jun 2013 16:29:57 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 9A25C2388906; Thu, 27 Jun 2013 16:29:38 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1497429 - in /httpd/httpd/branches/2.2.x: STATUS include/ap_mmn.h include/httpd.h modules/metadata/mod_setenvif.c server/util.c Date: Thu, 27 Jun 2013 16:29:38 -0000 To: cvs@httpd.apache.org From: covener@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130627162938.9A25C2388906@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: covener Date: Thu Jun 27 16:29:37 2013 New Revision: 1497429 URL: http://svn.apache.org/r1497429 Log: * core: Limit ap_pregsub() to 64MB, add ap_pregsub_ex() for longer strings. The default limit can be adjusted at compile time using AP_PREGSUB_MAXLEN. mod_setenvif: Log error on substitution overflow. Submitted by: trawick Reviewed by: trawic, wrowe, covener Modified: httpd/httpd/branches/2.2.x/STATUS httpd/httpd/branches/2.2.x/include/ap_mmn.h httpd/httpd/branches/2.2.x/include/httpd.h httpd/httpd/branches/2.2.x/modules/metadata/mod_setenvif.c httpd/httpd/branches/2.2.x/server/util.c Modified: httpd/httpd/branches/2.2.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1497429&r1=1497428&r2=1497429&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/STATUS (original) +++ httpd/httpd/branches/2.2.x/STATUS Thu Jun 27 16:29:37 2013 @@ -141,26 +141,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 2.2.x patch: trunk patch works modulo CHANGES +1: trawick, wrowe, rjung - * core: Limit ap_pregsub() to 64MB, add ap_pregsub_ex() for longer strings. - The default limit can be adjusted at compile time using AP_PREGSUB_MAXLEN. - mod_setenvif: Log error on substitution overflow. - - IMPORTANT: This could break existing configurations which rely on - substitutions > 64MB. Those sites need to rebuild with an - override of AP_PREGSUB_MAXLEN. - 2.4.x has a much smaller limit on ap_pregsub() because that change - was introduced with the new release. - - trunk patch: - util.c: too many to list, as it is tied up in other added features and follow- - up fixes; I started with 2.4.x HEAD and backed out some semantic changes - in the code of interest - mod_setenvif.c: http://svn.apache.org/viewvc?view=revision&revision=1198966 - 2.2.x patch: http://people.apache.org/~trawick/ap_pregsub_ex_22x-2.txt - +1: trawick, wrowe, covener - - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=1497429&r1=1497428&r2=1497429&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original) +++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Thu Jun 27 16:29:37 2013 @@ -149,7 +149,8 @@ * 20051115.29 (2.2.21) add max_ranges to core_dir_config * 20051115.30 (2.2.21) add ap_set_accept_ranges() * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct - # 20051115.32 (2.2.24) Add ap_get_exec_line + * 20051115.32 (2.2.24) Add ap_get_exec_line + * 20051115.33 (2.2.24) Add ap_pregsub_ex() */ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ @@ -157,7 +158,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20051115 #endif -#define MODULE_MAGIC_NUMBER_MINOR 32 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 33 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a Modified: httpd/httpd/branches/2.2.x/include/httpd.h URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/httpd.h?rev=1497429&r1=1497428&r2=1497429&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/include/httpd.h (original) +++ httpd/httpd/branches/2.2.x/include/httpd.h Thu Jun 27 16:29:37 2013 @@ -1701,6 +1701,26 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t size_t nmatch, ap_regmatch_t pmatch[]); /** + * After performing a successful regex match, you may use this function to + * perform a series of string substitutions based on subexpressions that were + * matched during the call to ap_regexec + * @param p The pool to allocate from + * @param result where to store the result, will be set to NULL on error + * @param input An arbitrary string containing $1 through $9. These are + * replaced with the corresponding matched sub-expressions + * @param source The string that was originally matched to the regex + * @param nmatch the nmatch returned from ap_pregex + * @param pmatch the pmatch array returned from ap_pregex + * @param maxlen the maximum string length to return, 0 for unlimited + * @return APR_SUCCESS if successful, APR_ENOMEM or other error code otherwise. + */ +AP_DECLARE(apr_status_t) ap_pregsub_ex(apr_pool_t *p, char **result, + const char *input, const char *source, + apr_size_t nmatch, + ap_regmatch_t pmatch[], + apr_size_t maxlen); + +/** * We want to downcase the type/subtype for comparison purposes * but nothing else because ;parameter=foo values are case sensitive. * @param s The content-type to convert to lowercase Modified: httpd/httpd/branches/2.2.x/modules/metadata/mod_setenvif.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/metadata/mod_setenvif.c?rev=1497429&r1=1497428&r2=1497429&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/modules/metadata/mod_setenvif.c (original) +++ httpd/httpd/branches/2.2.x/modules/metadata/mod_setenvif.c Thu Jun 27 16:29:37 2013 @@ -555,6 +555,13 @@ static int match_headers(request_rec *r) apr_table_setn(r->subprocess_env, elts[j].key, replaced); } + else { + ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, + "Regular expression replacement " + "failed for '%s', value too long?", + elts[j].key); + return HTTP_INTERNAL_SERVER_ERROR; + } } else { apr_table_setn(r->subprocess_env, elts[j].key, Modified: httpd/httpd/branches/2.2.x/server/util.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util.c?rev=1497429&r1=1497428&r2=1497429&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/server/util.c (original) +++ httpd/httpd/branches/2.2.x/server/util.c Thu Jun 27 16:29:37 2013 @@ -360,34 +360,38 @@ AP_DECLARE(const char *) ap_stripprefix( * AT&T V8 regexp package. */ -AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, - const char *source, size_t nmatch, - ap_regmatch_t pmatch[]) +static apr_status_t regsub_core(apr_pool_t *p, char **result, + const char *input, + const char *source, apr_size_t nmatch, + ap_regmatch_t pmatch[], apr_size_t maxlen) { const char *src = input; - char *dest, *dst; + char *dst; char c; - size_t no; - apr_size_t len; + apr_size_t no; + apr_size_t len = 0; - if (!source) - return NULL; - if (!nmatch) - return apr_pstrdup(p, src); + AP_DEBUG_ASSERT(result && p); + if (!source || nmatch>AP_MAX_REG_MATCH) + return APR_EINVAL; + if (!nmatch) { + len = strlen(src); + if (maxlen > 0 && len >= maxlen) + return APR_ENOMEM; + *result = apr_pstrmemdup(p, src, len); + return APR_SUCCESS; + } /* First pass, find the size */ - - len = 0; - while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else - no = 10; + no = AP_MAX_REG_MATCH; - if (no > 9) { /* Ordinary character. */ + if (no >= AP_MAX_REG_MATCH) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) src++; len++; @@ -396,14 +400,17 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "integer overflow or out of memory condition." ); - return NULL; + return APR_ENOMEM; } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } - dest = dst = apr_pcalloc(p, len + 1); + if (len >= maxlen && maxlen > 0) + return APR_ENOMEM; + + *result = dst = apr_palloc(p, len + 1); /* Now actually fill in the string */ @@ -415,9 +422,9 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else - no = 10; + no = AP_MAX_REG_MATCH; - if (no > 9) { /* Ordinary character. */ + if (no >= AP_MAX_REG_MATCH) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) c = *src++; *dst++ = c; @@ -431,7 +438,35 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t } *dst = '\0'; - return dest; + return APR_SUCCESS; +} + +#ifndef AP_PREGSUB_MAXLEN +/* No API control so far in this released branch, so make it large */ +#define AP_PREGSUB_MAXLEN (64 * 1024 * 1024) +#endif +AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, + const char *source, size_t nmatch, + ap_regmatch_t pmatch[]) +{ + char *result; + apr_status_t rc = regsub_core(p, &result, input, source, nmatch, + pmatch, AP_PREGSUB_MAXLEN); + if (rc != APR_SUCCESS) + result = NULL; + return result; +} + +AP_DECLARE(apr_status_t) ap_pregsub_ex(apr_pool_t *p, char **result, + const char *input, const char *source, + apr_size_t nmatch, ap_regmatch_t pmatch[], + apr_size_t maxlen) +{ + apr_status_t rc = regsub_core(p, result, input, source, nmatch, + pmatch, maxlen); + if (rc != APR_SUCCESS) + *result = NULL; + return rc; } /*