iliaa Mon Mar 24 20:34:32 2003 EDT
Modified files:
/php4/sapi/apache2handler sapi_apache2.c
Log:
Fixed bug #22805 (Reading of user input could stop prematurely).
Index: php4/sapi/apache2handler/sapi_apache2.c
diff -u php4/sapi/apache2handler/sapi_apache2.c:1.7
php4/sapi/apache2handler/sapi_apache2.c:1.8
--- php4/sapi/apache2handler/sapi_apache2.c:1.7 Mon Mar 17 20:24:18 2003
+++ php4/sapi/apache2handler/sapi_apache2.c Mon Mar 24 20:34:32 2003
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: sapi_apache2.c,v 1.7 2003/03/18 01:24:18 sniper Exp $ */
+/* $Id: sapi_apache2.c,v 1.8 2003/03/25 01:34:32 iliaa Exp $ */
#include <fcntl.h>
@@ -149,32 +149,33 @@
static int
php_apache_sapi_read_post(char *buf, uint count_bytes TSRMLS_DC)
{
- apr_size_t len;
+ apr_size_t len, tlen=0;
php_struct *ctx = SG(server_context);
request_rec *r;
apr_bucket_brigade *brigade;
- apr_status_t rv;
r = ctx->r;
brigade = ctx->brigade;
len = count_bytes;
- rv = ap_get_brigade(r->input_filters, brigade, AP_MODE_READBYTES,
- APR_BLOCK_READ, len);
+ /*
+ * This loop is needed because ap_get_brigade() can return us partial data
+ * which would cause premature termination of request read. Therefor we
+ * need to make sure that if data is avaliable we fill the buffer completely.
+ */
- if (rv == APR_SUCCESS) {
+ while (ap_get_brigade(r->input_filters, brigade, AP_MODE_READBYTES,
APR_BLOCK_READ, len) == APR_SUCCESS) {
apr_brigade_flatten(brigade, buf, &len);
- } else {
- len = 0;
+ apr_brigade_cleanup(brigade);
+ tlen += len;
+ if (tlen == count_bytes || !len) {
+ break;
+ }
+ buf += len;
+ len = count_bytes - tlen;
}
-
- apr_brigade_cleanup(brigade);
- /* This is downcast is okay, because len is constrained by
- * count_bytes and we know ap_get_brigade won't return more
- * than that.
- */
- return len;
+ return tlen;
}
static struct stat*
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
