source: trunk/server/common/patches/httpd-2.2.x-CVE-2010-0434.patch @ 1532

httpd-2.2.x/server/protocol.c

@@ -1041 +1041 @@
     return r;
 }
 
-/* if a request with a body creates a subrequest, clone the original request's
- * input headers minus any headers pertaining to the body which has already
- * been read.  out-of-line helper function for ap_set_sub_req_protocol.
+/* if a request with a body creates a subrequest, remove original request's
+ * input headers which pertain to the body which has already been read.
+ * out-of-line helper function for ap_set_sub_req_protocol.
  */
 
-static void clone_headers_no_body(request_rec *rnew,
-                                  const request_rec *r)
+static void strip_headers_request_body(request_rec *rnew)
 {
-    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
     apr_table_unset(rnew->headers_in, "Content-Encoding");
     apr_table_unset(rnew->headers_in, "Content-Language");
     apr_table_unset(rnew->headers_in, "Content-Length");
@@ -1083 +1081 @@
 
     rnew->status          = HTTP_OK;
 
+    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
+
     /* did the original request have a body?  (e.g. POST w/SSI tags)
      * if so, make sure the subrequest doesn't inherit body headers
      */
     if (apr_table_get(r->headers_in, "Content-Length")
         || apr_table_get(r->headers_in, "Transfer-Encoding")) {
-        clone_headers_no_body(rnew, r);
-    } else {
-        /* no body (common case).  clone headers the cheap way */
-        rnew->headers_in      = r->headers_in;
+        strip_headers_request_body(rnew);
     }
     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
     rnew->headers_out     = apr_table_make(rnew->pool, 5);