File httpd-2.4.9-bnc690734.patch of Package Apache2

diff -rNU 100 ../httpd-2.4.9-o/server/util_script.c ./server/util_script.c
--- ../httpd-2.4.9-o/server/util_script.c	2013-09-14 16:12:54.000000000 +0200
+++ ./server/util_script.c	2014-04-30 09:35:29.000000000 +0200
@@ -325,336 +325,348 @@
     }
 
     first = r->the_request;     /* use the request-line */
 
     while (*first && !apr_isspace(*first)) {
         ++first;                /* skip over the method */
     }
     while (apr_isspace(*first)) {
         ++first;                /*   and the space(s)   */
     }
 
     last = first;
     while (*last && !apr_isspace(*last)) {
         ++last;                 /* end at next whitespace */
     }
 
     return apr_pstrmemdup(r->pool, first, last - first);
 }
 
 AP_DECLARE(void) ap_add_cgi_vars(request_rec *r)
 {
     apr_table_t *e = r->subprocess_env;
 
     apr_table_setn(e, "GATEWAY_INTERFACE", "CGI/1.1");
     apr_table_setn(e, "SERVER_PROTOCOL", r->protocol);
     apr_table_setn(e, "REQUEST_METHOD", r->method);
     apr_table_setn(e, "QUERY_STRING", r->args ? r->args : "");
     apr_table_setn(e, "REQUEST_URI", original_uri(r));
 
     /* Note that the code below special-cases scripts run from includes,
      * because it "knows" that the sub_request has been hacked to have the
      * args and path_info of the original request, and not any that may have
      * come with the script URI in the include command.  Ugh.
      */
 
     if (!strcmp(r->protocol, "INCLUDED")) {
         apr_table_setn(e, "SCRIPT_NAME", r->uri);
         if (r->path_info && *r->path_info) {
             apr_table_setn(e, "PATH_INFO", r->path_info);
         }
     }
     else if (!r->path_info || !*r->path_info) {
         apr_table_setn(e, "SCRIPT_NAME", r->uri);
     }
     else {
         int path_info_start = ap_find_path_info(r->uri, r->path_info);
 
         apr_table_setn(e, "SCRIPT_NAME",
                       apr_pstrndup(r->pool, r->uri, path_info_start));
 
         apr_table_setn(e, "PATH_INFO", r->path_info);
     }
 
     if (r->path_info && r->path_info[0]) {
         /*
          * To get PATH_TRANSLATED, treat PATH_INFO as a URI path.
          * Need to re-escape it for this, since the entire URI was
          * un-escaped before we determined where the PATH_INFO began.
          */
         request_rec *pa_req;
 
         pa_req = ap_sub_req_lookup_uri(ap_escape_uri(r->pool, r->path_info), r,
                                        NULL);
 
         if (pa_req->filename) {
             char *pt = apr_pstrcat(r->pool, pa_req->filename, pa_req->path_info,
                                   NULL);
 #ifdef WIN32
             /* We need to make this a real Windows path name */
             apr_filepath_merge(&pt, "", pt, APR_FILEPATH_NATIVE, r->pool);
 #endif
             apr_table_setn(e, "PATH_TRANSLATED", pt);
         }
         ap_destroy_sub_req(pa_req);
     }
 }
 
 
 static int set_cookie_doo_doo(void *v, const char *key, const char *val)
 {
     apr_table_addn(v, key, val);
     return 1;
 }
 
 #define HTTP_UNSET (-HTTP_OK)
 #define SCRIPT_LOG_MARK  __FILE__,__LINE__,module_index
 
 AP_DECLARE(int) ap_scan_script_header_err_core_ex(request_rec *r, char *buffer,
                                        int (*getsfunc) (char *, int, void *),
                                        void *getsfunc_data,
                                        int module_index)
 {
     char x[MAX_STRING_LEN];
     char *w, *l;
     int p;
     int cgi_status = HTTP_UNSET;
     apr_table_t *merge;
     apr_table_t *cookie_table;
     int trace_log = APLOG_R_MODULE_IS_LEVEL(r, module_index, APLOG_TRACE1);
     int first_header = 1;
+    int wlen;
 
     if (buffer) {
         *buffer = '\0';
     }
-    w = buffer ? buffer : x;
+
+    if (r->server->limit_req_fieldsize + 2 > MAX_STRING_LEN) {
+        w = apr_palloc(r->pool, r->server->limit_req_fieldsize + 2);
+        wlen = r->server->limit_req_fieldsize + 2;
+    } else {
+        w = buffer ? buffer : x;
+        wlen = MAX_STRING_LEN;
+    }
+
 
     /* temporary place to hold headers to merge in later */
     merge = apr_table_make(r->pool, 10);
 
     /* The HTTP specification says that it is legal to merge duplicate
      * headers into one.  Some browsers that support Cookies don't like
      * merged headers and prefer that each Set-Cookie header is sent
      * separately.  Lets humour those browsers by not merging.
      * Oh what a pain it is.
      */
     cookie_table = apr_table_make(r->pool, 2);
     apr_table_do(set_cookie_doo_doo, cookie_table, r->err_headers_out, "Set-Cookie", NULL);
 
     while (1) {
 
-        int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
+        int rv = (*getsfunc) (w, wlen - 1, getsfunc_data);
         if (rv == 0) {
             const char *msg = "Premature end of script headers";
             if (first_header)
                 msg = "End of script output before headers";
             ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
                           "%s: %s", msg,
                           apr_filepath_name_get(r->filename));
             return HTTP_INTERNAL_SERVER_ERROR;
         }
         else if (rv == -1) {
             ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
                           "Script timed out before returning headers: %s",
                           apr_filepath_name_get(r->filename));
             return HTTP_GATEWAY_TIME_OUT;
         }
 
         /* Delete terminal (CR?)LF */
 
         p = strlen(w);
              /* Indeed, the host's '\n':
                 '\012' for UNIX; '\015' for MacOS; '\025' for OS/390
                  -- whatever the script generates.
              */
         if (p > 0 && w[p - 1] == '\n') {
             if (p > 1 && w[p - 2] == CR) {
                 w[p - 2] = '\0';
             }
             else {
                 w[p - 1] = '\0';
             }
         }
 
         /*
          * If we've finished reading the headers, check to make sure any
          * HTTP/1.1 conditions are met.  If so, we're done; normal processing
          * will handle the script's output.  If not, just return the error.
          * The appropriate thing to do would be to send the script process a
          * SIGPIPE to let it know we're ignoring it, close the channel to the
          * script process, and *then* return the failed-to-meet-condition
          * error.  Otherwise we'd be waiting for the script to finish
          * blithering before telling the client the output was no good.
          * However, we don't have the information to do that, so we have to
          * leave it to an upper layer.
          */
         if (w[0] == '\0') {
             int cond_status = OK;
 
             /* PR#38070: This fails because it gets confused when a
              * CGI Status header overrides ap_meets_conditions.
              *
              * We can fix that by dropping ap_meets_conditions when
              * Status has been set.  Since this is the only place
              * cgi_status gets used, let's test it explicitly.
              *
              * The alternative would be to ignore CGI Status when
              * ap_meets_conditions returns anything interesting.
              * That would be safer wrt HTTP, but would break CGI.
              */
             if ((cgi_status == HTTP_UNSET) && (r->method_number == M_GET)) {
                 cond_status = ap_meets_conditions(r);
             }
             apr_table_overlap(r->err_headers_out, merge,
                 APR_OVERLAP_TABLES_MERGE);
             if (!apr_is_empty_table(cookie_table)) {
                 /* the cookies have already been copied to the cookie_table */
                 apr_table_unset(r->err_headers_out, "Set-Cookie");
                 r->err_headers_out = apr_table_overlay(r->pool,
                     r->err_headers_out, cookie_table);
             }
             return cond_status;
         }
 
         if (trace_log) {
             if (first_header)
                 ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE4, 0, r,
                               "Headers from script '%s':",
                               apr_filepath_name_get(r->filename));
             ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE4, 0, r, "  %s", w);
         }
 
         /* if we see a bogus header don't ignore it. Shout and scream */
 
 #if APR_CHARSET_EBCDIC
             /* Chances are that we received an ASCII header text instead of
              * the expected EBCDIC header lines. Try to auto-detect:
              */
         if (!(l = strchr(w, ':'))) {
             int maybeASCII = 0, maybeEBCDIC = 0;
             unsigned char *cp, native;
             apr_size_t inbytes_left, outbytes_left;
 
             for (cp = w; *cp != '\0'; ++cp) {
                 native = apr_xlate_conv_byte(ap_hdrs_from_ascii, *cp);
                 if (apr_isprint(*cp) && !apr_isprint(native))
                     ++maybeEBCDIC;
                 if (!apr_isprint(*cp) && apr_isprint(native))
                     ++maybeASCII;
             }
             if (maybeASCII > maybeEBCDIC) {
                 ap_log_error(SCRIPT_LOG_MARK, APLOG_ERR, 0, r->server,
                              "CGI Interface Error: Script headers apparently ASCII: (CGI = %s)",
                              r->filename);
                 inbytes_left = outbytes_left = cp - w;
                 apr_xlate_conv_buffer(ap_hdrs_from_ascii,
                                       w, &inbytes_left, w, &outbytes_left);
             }
         }
 #endif /*APR_CHARSET_EBCDIC*/
         if (!(l = strchr(w, ':'))) {
             if (!buffer) {
                 /* Soak up all the script output - may save an outright kill */
-                while ((*getsfunc)(w, MAX_STRING_LEN - 1, getsfunc_data) > 0) {
+                while ((*getsfunc) (w, wlen - 1, getsfunc_data)) {
                     continue;
                 }
-            }
+            } else if (w != buffer) {
+		strncpy(buffer, w, MAX_STRING_LEN - 1);
+		buffer[MAX_STRING_LEN - 1] = 0;
+	    }
 
             ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
                           "malformed header from script '%s': Bad header: %.30s",
                           apr_filepath_name_get(r->filename), w);
             return HTTP_INTERNAL_SERVER_ERROR;
         }
 
         *l++ = '\0';
         while (apr_isspace(*l)) {
             ++l;
         }
 
         if (!strcasecmp(w, "Content-type")) {
             char *tmp;
 
             /* Nuke trailing whitespace */
 
             char *endp = l + strlen(l) - 1;
             while (endp > l && apr_isspace(*endp)) {
                 *endp-- = '\0';
             }
 
             tmp = apr_pstrdup(r->pool, l);
             ap_content_type_tolower(tmp);
             ap_set_content_type(r, tmp);
         }
         /*
          * If the script returned a specific status, that's what
          * we'll use - otherwise we assume 200 OK.
          */
         else if (!strcasecmp(w, "Status")) {
             r->status = cgi_status = atoi(l);
             if (!ap_is_HTTP_VALID_RESPONSE(cgi_status))
                 ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
                               "Invalid status line from script '%s': %.30s",
                               apr_filepath_name_get(r->filename), l);
             else
                 if (APLOGrtrace1(r))
                    ap_log_rerror(SCRIPT_LOG_MARK, APLOG_TRACE1, 0, r,
                                  "Status line from script '%s': %.30s",
                                  apr_filepath_name_get(r->filename), l);
             r->status_line = apr_pstrdup(r->pool, l);
         }
         else if (!strcasecmp(w, "Location")) {
             apr_table_set(r->headers_out, w, l);
         }
         else if (!strcasecmp(w, "Content-Length")) {
             apr_table_set(r->headers_out, w, l);
         }
         else if (!strcasecmp(w, "Content-Range")) {
             apr_table_set(r->headers_out, w, l);
         }
         else if (!strcasecmp(w, "Transfer-Encoding")) {
             apr_table_set(r->headers_out, w, l);
         }
         else if (!strcasecmp(w, "ETag")) {
             apr_table_set(r->headers_out, w, l);
         }
         /*
          * If the script gave us a Last-Modified header, we can't just
          * pass it on blindly because of restrictions on future values.
          */
         else if (!strcasecmp(w, "Last-Modified")) {
             ap_update_mtime(r, apr_date_parse_http(l));
             ap_set_last_modified(r);
         }
         else if (!strcasecmp(w, "Set-Cookie")) {
             apr_table_add(cookie_table, w, l);
         }
         else {
             apr_table_add(merge, w, l);
         }
         first_header = 0;
     }
     /* never reached - we leave this function within the while loop above */
     return OK;
 }
 
 AP_DECLARE(int) ap_scan_script_header_err_core(request_rec *r, char *buffer,
                                        int (*getsfunc) (char *, int, void *),
                                        void *getsfunc_data)
 {
     return ap_scan_script_header_err_core_ex(r, buffer, getsfunc,
                                              getsfunc_data,
                                              APLOG_MODULE_INDEX);
 }
 
 static int getsfunc_FILE(char *buf, int len, void *f)
 {
     return apr_file_gets(buf, len, (apr_file_t *) f) == APR_SUCCESS;
 }
 
 AP_DECLARE(int) ap_scan_script_header_err(request_rec *r, apr_file_t *f,
                                           char *buffer)
 {
     return ap_scan_script_header_err_core_ex(r, buffer, getsfunc_FILE, f,
                                              APLOG_MODULE_INDEX);
 }
 
 AP_DECLARE(int) ap_scan_script_header_err_ex(request_rec *r, apr_file_t *f,