Fix regressions related to range requests introduced by 2.2.9-10+lenny10debian/2.2.9-10+lenny11

git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/branches/lenny-apache2@1354 01b336ce-410b-0410-9a02-a0e7f243c266

3 files changed, 175 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index cfd6e35b..f7418709 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.2.9-10+lenny11) lenny-security; urgency=high
+
+  * Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
+    Closes: #639825
+
+ -- Stefan Fritsch <sf@debian.org>  Sun, 04 Sep 2011 22:09:38 +0200
+
 apache2 (2.2.9-10+lenny10) lenny-security; urgency=high
 
   * Fix CVE-2011-3192: DoS by high memory usage for a large number of
diff --git a/debian/patches/00list b/debian/patches/00list
index 0a38bd0c..dc2ef748 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -41,6 +41,7 @@
 080_CVE-2009-3555-rfc5746.dpatch
 081_CVE-2010-1452.dpatch
 082_CVE-2011-3192.dpatch
+083_range_regressions.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch
diff --git a/debian/patches/083_range_regressions.dpatch b/debian/patches/083_range_regressions.dpatch
new file mode 100755
index 00000000..c656fea8
--- /dev/null
+++ b/debian/patches/083_range_regressions.dpatch
@@ -0,0 +1,167 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 083_range_regressions.dpatch by Stefan Fritsch <sf@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Merge bug fixes from upstream trunk up to r1165062, but
+## DP: keep the compatible behaviour for 'bytes=0-' requests to send
+## DP: a 206 response.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny-apache2~/modules/http/byterange_filter.c lenny-apache2/modules/http/byterange_filter.c
+--- lenny-apache2~/modules/http/byterange_filter.c	2011-09-04 22:07:06.000000000 +0200
++++ lenny-apache2/modules/http/byterange_filter.c	2011-09-04 22:08:10.370998504 +0200
+@@ -243,6 +179,20 @@
+     apr_off_t end;
+ } indexes_t;
+ 
++static apr_status_t send_416(ap_filter_t *f, apr_bucket_brigade *tmpbb)
++{
++    apr_bucket *e;
++    conn_rec *c = f->r->connection;
++    ap_remove_output_filter(f);
++    f->r->status = HTTP_OK;
++    e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL,
++                               f->r->pool, c->bucket_alloc);
++    APR_BRIGADE_INSERT_TAIL(tmpbb, e);
++    e = apr_bucket_eos_create(c->bucket_alloc);
++    APR_BRIGADE_INSERT_TAIL(tmpbb, e);
++    return ap_pass_brigade(f->next, tmpbb);
++}
++
+ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(ap_filter_t *f,
+                                                          apr_bucket_brigade *bb)
+ {
+@@ -296,6 +246,12 @@
+         return ap_pass_brigade(f->next, bb);
+     }
+ 
++    /* this brigade holds what we will be sending */
++    bsend = apr_brigade_create(r->pool, c->bucket_alloc);
++
++    if (num_ranges < 0)
++        return send_416(f, bsend);
++
+     if (num_ranges > 1) {
+         /* Is ap_make_content_type required here? */
+         const char *orig_ct = ap_make_content_type(r, r->content_type);
+@@ -325,8 +281,6 @@
+         ap_xlate_proto_to_ascii(bound_head, strlen(bound_head));
+     }
+ 
+-    /* this brigade holds what we will be sending */
+-    bsend = apr_brigade_create(r->pool, c->bucket_alloc);
+     tmpbb = apr_brigade_create(r->pool, c->bucket_alloc);
+ 
+     idx = (indexes_t *)indexes->elts;
+@@ -384,15 +338,8 @@
+     }
+ 
+     if (found == 0) {
+-        ap_remove_output_filter(f);
+-        r->status = HTTP_OK;
+         /* bsend is assumed to be empty if we get here. */
+-        e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL,
+-                                   r->pool, c->bucket_alloc);
+-        APR_BRIGADE_INSERT_TAIL(bsend, e);
+-        e = apr_bucket_eos_create(c->bucket_alloc);
+-        APR_BRIGADE_INSERT_TAIL(bsend, e);
+-        return ap_pass_brigade(f->next, bsend);
++        return send_416(f, bsend);
+     }
+ 
+     if (num_ranges > 1) {
+@@ -424,7 +371,7 @@
+     const char *match;
+     const char *ct;
+     char *cur;
+-    int num_ranges = 0;
++    int num_ranges = 0, unsatisfiable = 0;
+     apr_off_t sum_lengths = 0;
+     indexes_t *idx;
+     int ranges = 1;
+@@ -497,14 +444,25 @@
+         char *errp;
+         apr_off_t number, start, end;
+ 
+-        if (!(dash = strchr(cur, '-'))) {
++        if (!*cur)
+             break;
++
++        /*
++         * Per RFC 2616 14.35.1: If there is at least one syntactically invalid
++         * byte-range-spec, we must ignore the whole header.
++         */
++
++        if (!(dash = strchr(cur, '-'))) {
++            return 0;
+         }
+ 
+-        if (dash == range) {
++        if (dash == cur) {
+             /* In the form "-5" */
+             if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) {
+-                break;
++                return 0;
++            }
++            if (number < 1) {
++                return 0;
+             }
+             start = clength - number;
+             end = clength - 1;
+@@ -512,14 +470,17 @@
+         else {
+             *dash++ = '\0';
+             if (apr_strtoff(&number, cur, &errp, 10) || *errp) {
+-                break;
++                return 0;
+             }
+             start = number;
+             if (*dash) {
+                 if (apr_strtoff(&number, dash, &errp, 10) || *errp) {
+-                    break;
++                    return 0;
+                 }
+                 end = number;
++                if (start > end) {
++                    return 0;
++                }
+             }
+             else {                  /* "5-" */
+                 end = clength - 1;
+@@ -529,15 +490,14 @@
+         if (start < 0) {
+             start = 0;
+         }
++        if (start >= clength) {
++            unsatisfiable = 1;
++            continue;
++        }
+         if (end >= clength) {
+             end = clength - 1;
+         }
+ 
+-        if (start > end) {
+-            /* ignore? count? */
+-            break;
+-        }
+-
+         idx = (indexes_t *)apr_array_push(*indexes);
+         idx->start = start;
+         idx->end = end;
+@@ -546,9 +506,14 @@
+         num_ranges++;
+     }
+ 
+-    if (sum_lengths >= clength) {
++    if (num_ranges == 0 && unsatisfiable) {
++        /* If all ranges are unsatisfiable, we should return 416 */
++        return -1;
++    }
++
++    if (sum_lengths > clength) {
+         ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+-                      "Sum of ranges not smaller than file, ignoring.");
++                      "Sum of ranges larger than file, ignoring.");
+         return 0;
+     }
+