Attachment #44785 for bug #95709

View | Details | Raw Unified | Return to bug 95709
Collapse All | Expand All

Lines 121-127 Link Here

(-)src/modules/proxy/proxy_http.c (-13 / +34 lines)
121	char portstr[32];	121	char portstr[32];
122	pool *p = r->pool;	122	pool *p = r->pool;
123	int destport = 0;	123	int destport = 0;
124	int chunked = 0;	124	const char *chunked = NULL;
125	char *destportstr = NULL;	125	char *destportstr = NULL;
126	const char *urlptr = NULL;	126	const char *urlptr = NULL;
127	const char datestr, urlstr;	127	const char datestr, urlstr;
Lines 338-344 Link Here
338	ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname);	338	ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname);
339	}	339	}
340		340
341	/* we don't yet support keepalives - but we will soon, I promise! */	341	/* we don't yet support keepalives - but we will soon, I promise!
		342	* XXX: This introduces various HTTP Request vulnerabilies if not
		343	* properly implemented. Before changing this .. be certain to
		344	* add a hard-close of the connection if the T-E and C-L headers
		345	* are both present, or the C-L header is malformed.
		346	*/
342	ap_table_set(req_hdrs, "Connection", "close");	347	ap_table_set(req_hdrs, "Connection", "close");
343		348
344	reqhdrs_arr = ap_table_elts(req_hdrs);	349	reqhdrs_arr = ap_table_elts(req_hdrs);
Lines 475-499 Link Here
475	}	480	}
476		481
477	/* is this content chunked? */	482	/* is this content chunked? */
478	chunked = ap_find_last_token(r->pool,	483	chunked = ap_table_get(resp_hdrs, "Transfer-Encoding");
479	ap_table_get(resp_hdrs, "Transfer-Encoding"),	484	if (chunked && (strcasecmp(chunked, "chunked") != 0)) {
480	"chunked");	485	ap_kill_timeout(r);
		486	return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
		487	"Unsupported Transfer-Encoding ", chunked,
		488	" from remote server", NULL));
		489	}
481		490
482	/* strip hop-by-hop headers defined by Connection and RFC2616 */	491	/* strip hop-by-hop headers defined by Connection and RFC2616 */
483	ap_proxy_clear_connection(p, resp_hdrs);	492	ap_proxy_clear_connection(p, resp_hdrs);
484		493
485	content_length = ap_table_get(resp_hdrs, "Content-Length");	494	content_length = ap_table_get(resp_hdrs, "Content-Length");
486	if (content_length != NULL) {	495	if (content_length != NULL) {
487	c->len = ap_strtol(content_length, NULL, 10);	496	if (chunked) {
		497	/* XXX: We would unset keep-alive here, to the proxy
		498	* origin server, for safety's sake but we aren't using
		499	* keep-alives (we force Connection: close above)
		500	*/
		501	nocache = 1; /* do not cache this suspect file */
		502	ap_table_unset(resp_hdrs, "Content-Length");
		503	}
		504	else {
		505	char *len_end;
		506	errno = 0;
		507	c->len = ap_strtol(content_length, &len_end, 10);
488		508
489	if (c->len < 0) {	509	if (errno \|\| (c->len < 0) \|\| (len_end && *len_end)) {
490	ap_kill_timeout(r);	510	ap_kill_timeout(r);
491	return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,	511	return ap_proxyerror(r, HTTP_BAD_GATEWAY,
492	"Invalid Content-Length from remote server",	512	"Invalid Content-Length from remote"
493	NULL));	513	" server");
		514	}
494	}	515	}
495	}	516	}
496
497	}	517	}
498	else {	518	else {
499	/* an http/0.9 response */	519	/* an http/0.9 response */
Lines 612-618 Link Here
612	* content length is not known. We need to make 100% sure c->len is always	632	* content length is not known. We need to make 100% sure c->len is always
613	* set correctly before we get here to correctly do keepalive.	633	* set correctly before we get here to correctly do keepalive.
614	*/	634	*/
615	ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size);	635	ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL,
		636	conf->io_buffer_size);
616	}	637	}
617		638
618	/* ap_proxy_send_fb() closes the socket f for us */	639	/* ap_proxy_send_fb() closes the socket f for us */

Return to bug 95709