[Bug 121926] New: webdav ucp: malformed PROPFIND request body

[bugzilla]

https://issues.apache.org/ooo/show_bug.cgi?id=121926

            Bug ID: 121926
        Issue Type: DEFECT
           Summary: webdav ucp: malformed PROPFIND request body
    Classification: Code
           Product: General
           Version: AOO 3.4.0
          Hardware: All
                OS: All
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: code
          Assignee: issues@openoffice.apache.org
          Reporter: arie...@apache.org
                CC: issues@openoffice.apache.org

All PROPFIND requests fail. Looking at the apache server log, reveals that the
request body is malformed:

[Thu Mar 21 00:36:46.999020 2013] [core:error] [pid 1114] [client ::1:44866]
AH00541: XML Parser Error: XML parser error code: not well-formed (invalid
token) (4)

The server response:

HTTP/1.1 400 Bad Request
Date: Thu, 21 Mar 2013 03:36:46 GMT
Server: Apache/2.4.3 (Fedora) OpenSSL/1.0.1e-fips PHP/5.4.12 mod_wsgi/3.4
Python/2.7.3 mod_perl/2.0.7 Perl/v5.16.2
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>


Looking at the code
http://svn.apache.org/viewvc/incubator/ooo/trunk/main/ucb/source/ucp/webdav/SerfPropFindReqProcImpl.cxx?revision=1351981&view=markup#l139

139     body_bkt = SERF_BUCKET_SIMPLE_STRING( rtl::OUStringToOString(
aBodyText, RTL_TEXTENCODING_UTF8 ),
140     pSerfBucketAlloc );

a) this is passing the rtl::OString, not a null terminated string
b) when the rtl string dies, the body bucket will point to garbage, looking at
the code in serf:


serf_bucket_t *serf_bucket_simple_create(
    const char *data,
    apr_size_t len,
    serf_simple_freefunc_t freefunc,
    void *freefunc_baton,
    serf_bucket_alloc_t *allocator)
{
    simple_context_t *ctx;

    ctx = serf_bucket_mem_alloc(allocator, sizeof(*ctx));
    ctx->original = ctx->current = data;
    ctx->remaining = len;
    ctx->freefunc = freefunc;
    ctx->baton = freefunc_baton;

    return serf_bucket_create(&serf_bucket_type_simple, allocator, ctx);
}

data is not copied. This will only work for string literals in read-only
storage that live longer than the function call.
In this case, the string content is freed when
SerfPropFindReqProcImpl::createSerfRequestBucket returns.
This way, the PROPFIND request body has garbage.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.