Use ap_parse_strict_length() to parse client-supplied Content-Length

manu · manu · commit e653b97abc5c · 2023-03-07T01:51:02.000Z
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908144 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/dav/fs/quota.c b/modules/dav/fs/quota.c
@@ -320,12 +320,20 @@ int dav_fs_quota_precondition(request_rec *r,
         /*
          * If PUT has Content-Length, we can forecast overquota
          */
-        if ((lenhdr = apr_table_get(r->headers_in, "Content-Length")) &&
-            (atol(lenhdr) > available_bytes)) {
-            status = HTTP_INSUFFICIENT_STORAGE;
-            *err = dav_new_error_tag(r->pool, status, 0, 0,
-                                     msg, NULL, tag);
-            goto out;
+        if (lenhdr = apr_table_get(r->headers_in, "Content-Length")) {
+            if (!ap_parse_strict_length(&size, lenhdr)) {
+                status = HTTP_BAD_REQUEST;
+                *err = dav_new_error(r->pool, status, 0, 0,
+                                     "client sent invalid Content-Length");
+                goto out;
+            }
+
+            if (size > available_bytes) {
+                status = HTTP_INSUFFICIENT_STORAGE;
+                *err = dav_new_error_tag(r->pool, status, 0, 0,
+                                         msg, NULL, tag);
+                goto out;
+            }
         }
         break;
     case M_COPY: /* FALLTHROUGH */
