On Wed, Jun 28, 2017 at 7:14 AM, Yann <ylavic....@gmail.com> wrote: > > Looks like the code after the patch below would be simpler and work too :
Agreed this is easier to follow, tmp_field is otherwise unused in the unsafe code path. Proposed for backport, thanks. Note this patch is the 2.2, non-APLOGNO flavor; > Index: server/protocol.c > =================================================================== > --- server/protocol.c (revision 1800151) > +++ server/protocol.c (working copy) > @@ -1081,8 +1081,12 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_ > return; > } > > - /* last character of field-name */ > - tmp_field = value - (value > last_field ? 1 : 0); > + if (value == last_field) { > + r->status = HTTP_BAD_REQUEST; > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > + "Request header field name was empty"); > + return; > + } > > *value++ = '\0'; /* NUL-terminate at colon */ > > @@ -1105,13 +1109,6 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_ > " bad whitespace"); > return; > } > - > - if (tmp_field == last_field) { > - r->status = HTTP_BAD_REQUEST; > - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > - "Request header field name was empty"); > - return; > - } > } > else /* Using strict RFC7230 parsing */ > { > _