登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 41

Lee-Nio / httpd

forked from src-openEuler / httpd 
代码 Issues 1 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-CVE-2022-22720.patch 6.04 KB
一键复制 编辑 原始数据 按行查看 历史
yangl777 提交于 2022-03-28 19:29 . fix CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23934 sync from 22.03
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187
From 19aa2d83b379719420f3a178413325156d7a62f3 Mon Sep 17 00:00:00 2001

From: Yann Ylavic <ylavic@apache.org>

Date: Mon, 7 Mar 2022 14:46:08 +0000

Subject: [PATCH] core: Simpler connection close logic if discarding the

 request body fails.



If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and

allows to consolidate end_output_stream() and error_output_stream().





Merge r1898683 from trunk.

Submitted by: ylavic, rpluem

Reviewed by: ylavic, rpluem, covener





git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898692 13f79535-47bb-0310-9956-ffa450edef68

---

 changes-entries/discard_body.diff |  2 +

 modules/http/http_filters.c       | 69 ++++++++++++++++---------------

 server/protocol.c                 | 14 +++++--

 3 files changed, 48 insertions(+), 37 deletions(-)

 create mode 100644 changes-entries/discard_body.diff



diff --git a/changes-entries/discard_body.diff b/changes-entries/discard_body.diff

new file mode 100644

index 00000000000..6b467ac5ee3

--- /dev/null

+++ b/changes-entries/discard_body.diff

@@ -0,0 +1,2 @@

+  *) core: Simpler connection close logic if discarding the request body fails.

+     [Yann Ylavic, Ruediger Pluem]

\ No newline at end of file

diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c

index d9b36212155..43e8c6dd5d5 100644

--- a/modules/http/http_filters.c

+++ b/modules/http/http_filters.c

@@ -1598,9 +1598,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)

  */

 AP_DECLARE(int) ap_discard_request_body(request_rec *r)

 {

+    int rc = OK;

+    conn_rec *c = r->connection;

     apr_bucket_brigade *bb;

-    int seen_eos;

-    apr_status_t rv;

 

     /* Sometimes we'll get in a state where the input handling has

      * detected an error where we want to drop the connection, so if

@@ -1609,54 +1609,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)

      *

      * This function is also a no-op on a subrequest.

      */

-    if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||

-        ap_status_drops_connection(r->status)) {

+    if (r->main || c->keepalive == AP_CONN_CLOSE) {

+        return OK;

+    }

+    if (ap_status_drops_connection(r->status)) {

+        c->keepalive = AP_CONN_CLOSE;

         return OK;

     }

 

     bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);

-    seen_eos = 0;

-    do {

-        apr_bucket *bucket;

+    for (;;) {

+        apr_status_t rv;

 

         rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,

                             APR_BLOCK_READ, HUGE_STRING_LEN);

-

         if (rv != APR_SUCCESS) {

-            apr_brigade_destroy(bb);

-            return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);

+            rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);

+            goto cleanup;

         }

 

-        for (bucket = APR_BRIGADE_FIRST(bb);

-             bucket != APR_BRIGADE_SENTINEL(bb);

-             bucket = APR_BUCKET_NEXT(bucket))

-        {

-            const char *data;

-            apr_size_t len;

+        while (!APR_BRIGADE_EMPTY(bb)) {

+            apr_bucket *b = APR_BRIGADE_FIRST(bb);

 

-            if (APR_BUCKET_IS_EOS(bucket)) {

-                seen_eos = 1;

-                break;

-            }

-

-            /* These are metadata buckets. */

-            if (bucket->length == 0) {

-                continue;

+            if (APR_BUCKET_IS_EOS(b)) {

+                goto cleanup;

             }

 

-            /* We MUST read because in case we have an unknown-length

-             * bucket or one that morphs, we want to exhaust it.

+            /* There is no need to read empty or metadata buckets or

+             * buckets of known length, but we MUST read buckets of

+             * unknown length in order to exhaust them.

              */

-            rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);

-            if (rv != APR_SUCCESS) {

-                apr_brigade_destroy(bb);

-                return HTTP_BAD_REQUEST;

+            if (b->length == (apr_size_t)-1) {

+                apr_size_t len;

+                const char *data;

+

+                rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);

+                if (rv != APR_SUCCESS) {

+                    rc = HTTP_BAD_REQUEST;

+                    goto cleanup;

+                }

             }

+

+            apr_bucket_delete(b);

         }

-        apr_brigade_cleanup(bb);

-    } while (!seen_eos);

+    }

 

-    return OK;

+cleanup:

+    apr_brigade_cleanup(bb);

+    if (rc != OK) {

+        c->keepalive = AP_CONN_CLOSE;

+    }

+    return rc;

 }

 

 /* Here we deal with getting the request message body from the client.

diff --git a/server/protocol.c b/server/protocol.c

index 2214f72b5a4..298f61e1fb8 100644

--- a/server/protocol.c

+++ b/server/protocol.c

@@ -1687,23 +1687,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,

     rnew->main = (request_rec *) r;

 }

 

-static void end_output_stream(request_rec *r)

+static void end_output_stream(request_rec *r, int status)

 {

     conn_rec *c = r->connection;

     apr_bucket_brigade *bb;

     apr_bucket *b;

 

     bb = apr_brigade_create(r->pool, c->bucket_alloc);

+    if (status != OK) {

+        b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);

+        APR_BRIGADE_INSERT_TAIL(bb, b);

+    }

     b = apr_bucket_eos_create(c->bucket_alloc);

     APR_BRIGADE_INSERT_TAIL(bb, b);

+

     ap_pass_brigade(r->output_filters, bb);

+    apr_brigade_cleanup(bb);

 }

 

 AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)

 {

     /* tell the filter chain there is no more content coming */

     if (!sub->eos_sent) {

-        end_output_stream(sub);

+        end_output_stream(sub, OK);

     }

 }

 

@@ -1714,11 +1720,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)

  */

 AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)

 {

-    (void) ap_discard_request_body(r);

+    int status = ap_discard_request_body(r);

 

     /* tell the filter chain there is no more content coming */

     if (!r->eos_sent) {

-        end_output_stream(r);

+        end_output_stream(r, status);

     }

 }
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/lee-nio/httpd.git
git@gitee.com:lee-nio/httpd.git
lee-nio
httpd
httpd
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部