On Wed, Jun 28, 2017 at 7:14 AM, Yann <ylavic....@gmail.com> wrote:
>
> Looks like the code after the patch below would be simpler and work too :
Agreed this is easier to follow, tmp_field is otherwise unused in the
unsafe code path. Proposed for backport, thanks.
Note this patch is the 2.2, non-APLOGNO flavor;
> Index: server/protocol.c
> ===================================================================
> --- server/protocol.c (revision 1800151)
> +++ server/protocol.c (working copy)
> @@ -1081,8 +1081,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_
> return;
> }
>
> - /* last character of field-name */
> - tmp_field = value - (value > last_field ? 1 : 0);
> + if (value == last_field) {
> + r->status = HTTP_BAD_REQUEST;
> + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> + "Request header field name was empty");
> + return;
> + }
>
> *value++ = '\0'; /* NUL-terminate at colon */
>
> @@ -1105,13 +1109,6 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_
> " bad whitespace");
> return;
> }
> -
> - if (tmp_field == last_field) {
> - r->status = HTTP_BAD_REQUEST;
> - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> - "Request header field name was empty");
> - return;
> - }
> }
> else /* Using strict RFC7230 parsing */
> {
> _
