Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
apache2.36335
apache2-CVE-2022-22721.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-CVE-2022-22721.patch of Package apache2.36335
Index: httpd-2.4.51/changes-entries/AP_MAX_LIMIT_XML_BODY.diff =================================================================== --- /dev/null +++ httpd-2.4.51/changes-entries/AP_MAX_LIMIT_XML_BODY.diff @@ -0,0 +1,2 @@ + *) core: Make sure and check that LimitXMLRequestBody fits in system memory. + [Ruediger Pluem, Yann Ylavic] \ No newline at end of file Index: httpd-2.4.51/server/core.c =================================================================== --- httpd-2.4.51.orig/server/core.c +++ httpd-2.4.51/server/core.c @@ -72,6 +72,8 @@ /* LimitXMLRequestBody handling */ #define AP_LIMIT_UNSET ((long) -1) #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000) +/* Hard limit for ap_escape_html2() */ +#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1)) #define AP_MIN_SENDFILE_BYTES (256) @@ -3767,6 +3769,11 @@ static const char *set_limit_xml_req_bod if (conf->limit_xml_body < 0) return "LimitXMLRequestBody requires a non-negative integer."; + /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */ + if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY) + return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed " + "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY); + return NULL; } @@ -3855,6 +3862,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_ conf = ap_get_core_module_config(r->per_dir_config); if (conf->limit_xml_body == AP_LIMIT_UNSET) return AP_DEFAULT_LIMIT_XML_BODY; + if (conf->limit_xml_body == 0) + return AP_MAX_LIMIT_XML_BODY; return (apr_size_t)conf->limit_xml_body; } Index: httpd-2.4.51/server/util.c =================================================================== --- httpd-2.4.51.orig/server/util.c +++ httpd-2.4.51/server/util.c @@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded( AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) { - int i, j; + apr_size_t i, j; char *x; /* first, count the number of extra characters */ - for (i = 0, j = 0; s[i] != '\0'; i++) + for (i = 0, j = 0; s[i] != '\0'; i++) { + if (i + j > APR_SIZE_MAX - 6) { + abort(); + } if (s[i] == '<' || s[i] == '>') j += 3; else if (s[i] == '&') @@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_p j += 5; else if (toasc && !apr_isascii(s[i])) j += 5; + } if (j == 0) return apr_pstrmemdup(p, s, i); Index: httpd-2.4.51/server/util_xml.c =================================================================== --- httpd-2.4.51.orig/server/util_xml.c +++ httpd-2.4.51/server/util_xml.c @@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(reque } total_read += len; - if (limit_xml_body && total_read > limit_xml_body) { + if (total_read > limit_xml_body) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539) "XML request body is larger than the configured " "limit of %lu", (unsigned long)limit_xml_body); Index: httpd-2.4.51/docs/manual/mod/core.html.en =================================================================== --- httpd-2.4.51.orig/docs/manual/mod/core.html.en +++ httpd-2.4.51/docs/manual/mod/core.html.en @@ -2977,15 +2977,20 @@ from the client</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Core</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>core</td></tr> </table> - <p>Limit (in bytes) on maximum size of an XML-based request - body. A value of <code>0</code> will disable any checking.</p> + <p>Limit (in bytes) on the maximum size of an XML-based request + body. A value of <code>0</code> will apply a hard limit (depending on + 32bit vs 64bit system) allowing for XML escaping within the bounds of + the system addressable memory, but it exists for compatibility only + and is not recommended since it does not account for memory consumed + elsewhere or concurrent requests, which might result in an overall + system out-of-memory.<p> <p>Example:</p> - <pre class="prettyprint lang-config">LimitXMLRequestBody 0</pre> - - - + <pre class="prettyprint lang-config"> + # Limit of 1 MiB + LimitXMLRequestBody 1073741824 + </pre> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="Location" id="Location"><Location></a> <a name="location" id="location">Directive</a></h2> Index: httpd-2.4.51/docs/manual/mod/core.html.es =================================================================== --- httpd-2.4.51.orig/docs/manual/mod/core.html.es +++ httpd-2.4.51/docs/manual/mod/core.html.es @@ -2527,13 +2527,19 @@ from the client</td></tr> <tr><th><a href="directive-dict.html#Status">Estado:</a></th><td>Core</td></tr> <tr><th><a href="directive-dict.html#Module">Módulo:</a></th><td>core</td></tr> </table> - <p>Limit (in bytes) on maximum size of an XML-based request - body. A value of <code>0</code> will disable any checking.</p> + <p>Limit (in bytes) on the maximum size of an XML-based request + body. A value of <code>0</code> will apply a hard limit (depending on + 32bit vs 64bit system) allowing for XML escaping within the bounds of + the system addressable memory, but it exists for compatibility only + and is not recommended since it does not account for memory consumed + elsewhere or concurrent requests, which might result in an overall + system out-of-memory.<p> <p>Example:</p> <div class="example"><p><code> - LimitXMLRequestBody 0 + # Limit of 1 MiB + LimitXMLRequestBody 1073741824 </code></p></div>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor