https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8743

diff -uap httpd-2.4.6/docs/manual/mod/core.html.en.cve8743 httpd-2.4.6/docs/manual/mod/core.html.en

--- httpd-2.4.6/docs/manual/mod/core.html.en.cve8743

+++ httpd-2.4.6/docs/manual/mod/core.html.en

@@ -67,6 +67,7 @@

 
 ForceType

 
 GprofDir

 
 HostnameLookups

+
 HttpProtocolOptions

 
 <If>

 
 <IfDefine>

 
 <IfModule>

@@ -93,6 +94,7 @@

 
 NameVirtualHost

 
 Options

 
 Protocol

+
 RegisterHttpMethod

 
 RLimitCPU

 
 RLimitMEM

 
 RLimitNPROC

@@ -1918,6 +1920,74 @@

+
HttpProtocolOptions Directive

+

+Description:Modify restrictions on HTTP Request Messages

+Syntax:HttpProtocolOptions [Strict|Unsafe] [RegisteredMethods|LenientMethods]

+ [Allow0.9|Require1.0]

+Default:HttpProtocolOptions Strict LenientMethods Allow0.9

+Context:server config, virtual host

+Status:Core

+Module:core

+Compatibility:2.2.32 or 2.4.24 and later

+

+    
This directive changes the rules applied to the HTTP Request Line

+    (RFC 7230 §3.1.1) and the HTTP Request Header Fields

+    (RFC 7230 §3.2), which are now applied by default or using

+    the Strict option. Due to legacy modules, applications or

+    custom user-agents which must be deperecated the Unsafe

+    option has been added to revert to the legacy behaviors. These rules

+    are applied prior to request processing, so must be configured at the

+    global or default (first) matching virtual host section, by IP/port

+    interface (and not by name) to be honored.

+

+    
Prior to the introduction of this directive, the Apache HTTP Server

+    request message parsers were tolerant of a number of forms of input

+    which did not conform to the protocol.

+    RFC 7230 §9.4 Request Splitting and

+    §9.5 Response Smuggling call out only two of the potential

+    risks of accepting non-conformant request messages, while

+    RFC 7230 §3.5 "Message Parsing Robustness" identify the

+    risks of accepting obscure whitespace and request message formatting. 

+    As of the introduction of this directive, all grammer rules of the

+    specification are enforced in the default Strict operating

+    mode, and the strict whitespace suggested by section 3.5 is enforced

+    and cannot be relaxed.

+

+    
Users are strongly cautioned against toggling the Unsafe

+    mode of operation, particularly on outward-facing, publicly accessible

+    server deployments.  If an interface is required for faulty monitoring

+    or other custom service consumers running on an intranet, users should

+    toggle the Unsafe option only on a specific virtual host configured

+    to service their internal private network.

+

+    
Reviewing the messages logged to the ErrorLog,

+    configured with LogLevel debug level,

+    can help identify such faulty requests along with their origin.

+    Users should pay particular attention to the 400 responses in the access

+    log for invalid requests which were unexpectedly rejected.

+

+    
RFC 7231 §4.1 "Request Methods" "Overview" requires that

+    origin servers shall respond with an error when an unsupported method

+    is encountered in the request line. This already happens when the

+    LenientMethods option is used, but administrators may wish

+    to toggle the RegisteredMethods option and register any

+    non-standard methods using the RegisterHttpMethod

+    directive, particularly if the Unsafe option has been toggled.

+    The RegisteredMethods option should not

+    be toggled for forward proxy hosts, as the methods supported by the

+    origin servers are unknown to the proxy server.

+

+    
RFC 2616 §19.6 "Compatibility With Previous Versions" had

+    encouraged HTTP servers to support legacy HTTP/0.9 requests. RFC 7230

+    superceeds this with "The expectation to support HTTP/0.9 requests has

+    been removed" and offers additional comments in 

+    RFC 7230 Appendix A. The Require1.0 option allows

+    the user to remove support of the default Allow0.9 option's

+    behavior.

+

+

+

 
<If> Directive

 Description:Contains directives that apply only if a condition is

@@ -3541,6 +3611,23 @@

+
RegisterHttpMethod Directive

+

+Description:Register non-standard HTTP methods

+Syntax:RegisterHttpMethod method [method [...]]

+Context:server config

+Status:Core

+Module:core

+

+
HTTP Methods that are not conforming to the relvant RFCs are normally

+rejected by request processing in Apache HTTPD. To avoid this, modules

+can register non-standard HTTP methods they support.

+The RegisterHttpMethod allows to register such

+methods manually. This can be useful for if such methods are forwared

+for external processing, e.g. to a CGI script.

+

+

+

 
RLimitCPU Directive

 Description:Limits the CPU consumption of processes launched

diff -uap httpd-2.4.6/include/http_core.h.cve8743 httpd-2.4.6/include/http_core.h

--- httpd-2.4.6/include/http_core.h.cve8743

+++ httpd-2.4.6/include/http_core.h

@@ -668,6 +668,21 @@

 #define AP_MERGE_TRAILERS_DISABLE  2

     int merge_trailers;

+#define AP_HTTP09_UNSET   0

+#define AP_HTTP09_ENABLE  1

+#define AP_HTTP09_DISABLE 2

+    char http09_enable;

+

+#define AP_HTTP_CONFORMANCE_UNSET     0

+#define AP_HTTP_CONFORMANCE_UNSAFE    1

+#define AP_HTTP_CONFORMANCE_STRICT    2

+    char http_conformance;

+

+#define AP_HTTP_METHODS_UNSET         0

+#define AP_HTTP_METHODS_LENIENT       1

+#define AP_HTTP_METHODS_REGISTERED    2

+    char http_methods;

+

 } core_server_config;

 /* for AddOutputFiltersByType in core.c */

diff -uap httpd-2.4.6/include/httpd.h.cve8743 httpd-2.4.6/include/httpd.h

--- httpd-2.4.6/include/httpd.h.cve8743

+++ httpd-2.4.6/include/httpd.h

@@ -1584,6 +1584,28 @@

  */

 AP_DECLARE(int) ap_unescape_url(char *url);

+/* Scan a string for field content chars, as defined by RFC7230 section 3.2

+ * including VCHAR/obs-text, as well as HT and SP

+ * @param ptr The string to scan

+ * @return A pointer to the first (non-HT) ASCII ctrl character.

+ * @note lws and trailing whitespace are scanned, the caller is responsible

+ * for trimming leading and trailing whitespace

+ */

+AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr);

+

+/* Scan a string for token characters, as defined by RFC7230 section 3.2.6

+ * @param ptr The string to scan

+ * @return A pointer to the first non-token character.

+ */

+AP_DECLARE(const char *) ap_scan_http_token(const char *ptr);

+

+/* Scan a string for visible ASCII (0x21-0x7E) or obstext (0x80+)

+ * and return a pointer to the first SP/CTL/NUL character encountered.

+ * @param ptr The string to scan

+ * @return A pointer to the first SP/CTL character.

+ */

+AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr);

+

 /**

  * Unescape a URL, but leaving %2f (slashes) escaped

  * @param url The url to unescape

diff -uap httpd-2.4.6/include/http_protocol.h.cve8743 httpd-2.4.6/include/http_protocol.h

--- httpd-2.4.6/include/http_protocol.h.cve8743

+++ httpd-2.4.6/include/http_protocol.h

@@ -582,17 +582,22 @@

  */

 AP_CORE_DECLARE(void) ap_parse_uri(request_rec *r, const char *uri);

+#define AP_GETLINE_FOLD 1 /* Whether to merge continuation lines */

+#define AP_GETLINE_CRLF 2 /*Whether line ends must be in the form CR LF */

+

 /**

  * Get the next line of input for the request

  * @param s The buffer into which to read the line

  * @param n The size of the buffer

  * @param r The request

- * @param fold Whether to merge continuation lines

+ * @param flags Bit flag of multiple parsing options

+ *              AP_GETLINE_FOLD Whether to merge continuation lines

+ *              AP_GETLINE_CRLF Whether line ends must be in the form CR LF

  * @return The length of the line, if successful

  *         n, if the line is too big to fit in the buffer

  *         -1 for miscellaneous errors

  */

-AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int fold);

+AP_DECLARE(int) ap_getline(char *s, int n, request_rec *r, int flags);

 /**

  * Get the next line of input for the request

@@ -610,7 +615,9 @@

  * @param n The size of the buffer

  * @param read The length of the line.

  * @param r The request

- * @param fold Whether to merge continuation lines

+ * @param flags Bit flag of multiple parsing options

+ *              AP_GETLINE_FOLD Whether to merge continuation lines

+ *              AP_GETLINE_CRLF Whether line ends must be in the form CR LF

  * @param bb Working brigade to use when reading buckets

  * @return APR_SUCCESS, if successful

  *         APR_ENOSPC, if the line is too big to fit in the buffer

@@ -619,7 +626,7 @@

 #if APR_CHARSET_EBCDIC

 AP_DECLARE(apr_status_t) ap_rgetline(char **s, apr_size_t n,

                                      apr_size_t *read,

-                                     request_rec *r, int fold,

+                                     request_rec *r, int flags,

                                      apr_bucket_brigade *bb);

 #else /* ASCII box */

 #define ap_rgetline(s, n, read, r, fold, bb) \

@@ -629,7 +636,7 @@

 /** @see ap_rgetline */

 AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,

                                           apr_size_t *read,

-                                          request_rec *r, int fold,

+                                          request_rec *r, int flags,

                                           apr_bucket_brigade *bb);

 /**

diff -uap httpd-2.4.6/modules/http/http_filters.c.cve8743 httpd-2.4.6/modules/http/http_filters.c

--- httpd-2.4.6/modules/http/http_filters.c.cve8743

+++ httpd-2.4.6/modules/http/http_filters.c

@@ -126,14 +126,15 @@

 /**

  * Parse a chunk line with optional extension, detect overflow.

- * There are two error cases:

- *  1) If the conversion would require too many bits, APR_EGENERAL is returned.

- *  2) If the conversion used the correct number of bits, but an overflow

+ * There are several error cases:

+ *  1) If the chunk link is misformatted, APR_EINVAL is returned.

+ *  2) If the conversion would require too many bits, APR_EGENERAL is returned.

+ *  3) If the conversion used the correct number of bits, but an overflow

  *     caused only the sign bit to flip, then APR_ENOSPC is returned.

- * In general, any negative number can be considered an overflow error.

+ * A negative chunk length always indicates an overflow error.

  */

 static apr_status_t parse_chunk_size(http_ctx_t *ctx, const char *buffer,

-                                     apr_size_t len, int linelimit)

+                                     apr_size_t len, int linelimit, int strict)

 {

     apr_size_t i = 0;

@@ -146,6 +147,12 @@

         if (ctx->state == BODY_CHUNK_END

                 || ctx->state == BODY_CHUNK_END_LF) {

             if (c == LF) {

+                if (strict && (ctx->state != BODY_CHUNK_END_LF)) {

+                    /*

+                     * CR missing before LF.

+                     */

+                    return APR_EINVAL;

+                }

                 ctx->state = BODY_CHUNK;

             }

             else if (c == CR && ctx->state == BODY_CHUNK_END) {

@@ -153,7 +160,7 @@

             }

             else {

                 /*

-                 * LF expected.

+                 * CRLF expected.

                  */

                 return APR_EINVAL;

             }

@@ -180,6 +187,12 @@

         }

         if (c == LF) {

+            if (strict && (ctx->state != BODY_CHUNK_LF)) {

+                /*

+                 * CR missing before LF.

+                 */

+                return APR_EINVAL;

+            }

             if (ctx->remaining) {

                 ctx->state = BODY_CHUNK_DATA;

             }

@@ -201,14 +214,17 @@

         }

         else if (ctx->state == BODY_CHUNK_EXT) {

             /*

-             * Control chars (but tabs) are invalid.

+             * Control chars (excluding tabs) are invalid.

+             * TODO: more precisely limit input

              */

             if (c != '\t' && apr_iscntrl(c)) {

                 return APR_EINVAL;

             }

         }

         else if (c == ' ' || c == '\t') {

-            /* Be lenient up to 10 BWS (term from rfc7230 - 3.2.3).

+            /* Be lenient up to 10 implied *LWS, a legacy of RFC 2616,

+             * and noted as errata to RFC7230;

+             * https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4667

              */

             ctx->state = BODY_CHUNK_CR;

             if (++ctx->chunk_bws > 10) {

@@ -324,7 +340,10 @@

                             ap_input_mode_t mode, apr_read_type_e block,

                             apr_off_t readbytes)

 {

-    core_server_config *conf;

+    core_server_config *conf =

+        (core_server_config *) ap_get_module_config(f->r->server->module_config,

+                                                    &core_module);

+    int strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);

     apr_bucket *e;

     http_ctx_t *ctx = f->ctx;

     apr_status_t rv;

@@ -332,9 +351,6 @@

     apr_bucket_brigade *bb;

     int again;

-    conf = (core_server_config *)

-        ap_get_module_config(f->r->server->module_config, &core_module);

-

     /* just get out of the way of things we don't want. */

     if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {

         return ap_get_brigade(f->next, b, mode, block, readbytes);

@@ -526,7 +542,7 @@

                     if (rv == APR_SUCCESS) {

                         parsing = 1;

                         rv = parse_chunk_size(ctx, buffer, len,

-                                f->r->server->limit_req_fieldsize);

+                                f->r->server->limit_req_fieldsize, strict);

                     }

                     if (rv != APR_SUCCESS) {

                         ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, f->r, APLOGNO(01590)

@@ -668,14 +684,121 @@

     return APR_SUCCESS;

 }

+struct check_header_ctx {

+    request_rec *r;

+    int strict;

+};

+

+/* check a single header, to be used with apr_table_do() */

+static int check_header(struct check_header_ctx *ctx,

+                        const char *name, const char **val)

+{

+    const char *pos, *end;

+    char *dst = NULL;

+

+    if (name[0] == '\0') {

+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02428)

+                      "Empty response header name, aborting request");

+        return 0;

+    }

+

+    if (ctx->strict) {

+        end = ap_scan_http_token(name);

+    }

+    else {

+        end = ap_scan_vchar_obstext(name);

+    }

+    if (*end) {

+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)

+                      "Response header name '%s' contains invalid "

+                      "characters, aborting request",

+                      name);

+        return 0;

+    }

+

+    for (pos = *val; *pos; pos = end) {

+        end = ap_scan_http_field_content(pos);

+        if (*end) {

+            if (end[0] != CR || end[1] != LF || (end[2] != ' ' &&

+                                                 end[2] != '\t')) {

+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02430)

+                              "Response header '%s' value of '%s' contains "

+                              "invalid characters, aborting request",

+                              name, pos);

+                return 0;

+            }

+            if (!dst) {

+                *val = dst = apr_palloc(ctx->r->pool, strlen(*val) + 1);

+            }

+        }

+        if (dst) {

+            memcpy(dst, pos, end - pos);

+            dst += end - pos;

+            if (*end) {

+                /* skip folding and replace with a single space */

+                end += 3 + strspn(end + 3, "\t ");

+                *dst++ = ' ';

+            }

+        }

+    }

+    if (dst) {

+        *dst = '\0';

+    }

+    return 1;

+}

+

+static int check_headers_table(apr_table_t *t, struct check_header_ctx *ctx)

+{

+    const apr_array_header_t *headers = apr_table_elts(t);

+    apr_table_entry_t *header;

+    int i;

+

+    for (i = 0; i < headers->nelts; ++i) {

+        header = &APR_ARRAY_IDX(headers, i, apr_table_entry_t);

+        if (!header->key) {

+            continue;

+        }

+        if (!check_header(ctx, header->key, (const char **)&header->val)) {

+            return 0;

+        }

+    }

+    return 1;

+}

+

+/**

+ * Check headers for HTTP conformance

+ * @return 1 if ok, 0 if bad

+ */

+static APR_INLINE int check_headers(request_rec *r)

+{

+    struct check_header_ctx ctx;

+    core_server_config *conf =

+            ap_get_core_module_config(r->server->module_config);

+

+    ctx.r = r;

+    ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);

+    return check_headers_table(r->headers_out, &ctx) &&

+           check_headers_table(r->err_headers_out, &ctx;;

+}

+

+static int check_headers_recursion(request_rec *r)

+{

+    void *check = NULL;

+    apr_pool_userdata_get(&check, "check_headers_recursion", r->pool);

+    if (check) {

+        return 1;

+    }

+    apr_pool_userdata_setn("true", "check_headers_recursion", NULL, r->pool);

+    return 0;

+}

+

 typedef struct header_struct {

     apr_pool_t *pool;

     apr_bucket_brigade *bb;

 } header_struct;

 /* Send a single HTTP header field to the client.  Note that this function

- * is used in calls to table_do(), so their interfaces are co-dependent.

- * In other words, don't change this one without checking table_do in alloc.c.

+ * is used in calls to apr_table_do(), so don't change its interface.

  * It returns true unless there was a write error of some kind.

  */

 static int form_header_field(header_struct *h,

@@ -1160,6 +1283,7 @@

 typedef struct header_filter_ctx {

     int headers_sent;

+    int headers_error;

 } header_filter_ctx;

 AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,

@@ -1175,19 +1299,23 @@

     header_filter_ctx *ctx = f->ctx;

     const char *ctype;

     ap_bucket_error *eb = NULL;

+    apr_bucket *eos = NULL;

     AP_DEBUG_ASSERT(!r->main);

-    if (r->header_only) {

-        if (!ctx) {

-            ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx));

-        }

-        else if (ctx->headers_sent) {

+    if (!ctx) {

+        ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx));

+    }

+    if (ctx->headers_sent) {

+        /* Eat body if response must not have one. */

+        if (r->header_only || r->status == HTTP_NO_CONTENT) {

             apr_brigade_cleanup(b);

-            return OK;

+            return APR_SUCCESS;

         }

     }

-

+    else if (!ctx->headers_error && !check_headers(r)) {

+        ctx->headers_error = 1;

+    }

     for (e = APR_BRIGADE_FIRST(b);

          e != APR_BRIGADE_SENTINEL(b);

          e = APR_BUCKET_NEXT(e))

@@ -1204,10 +1332,44 @@

             ap_remove_output_filter(f);

             return ap_pass_brigade(f->next, b);

         }

+        if (ctx->headers_error && APR_BUCKET_IS_EOS(e)) {

+            eos = e;

+        }

     }

-    if (eb) {

-        int status;

+    if (ctx->headers_error) {

+        if (!eos) {

+            /* Eat body until EOS */

+            apr_brigade_cleanup(b);

+            return APR_SUCCESS;

+        }

+        /* We may come back here from ap_die() below,

+         * so clear anything from this response.

+         */

+        ctx->headers_error = 0;

+        apr_table_clear(r->headers_out);

+        apr_table_clear(r->err_headers_out);

+

+        /* Don't recall ap_die() if we come back here (from its own internal

+         * redirect or error response), otherwise we can end up in infinite

+         * recursion; better fall through with 500, minimal headers and an

+         * empty body (EOS only).

+         */

+        if (!check_headers_recursion(r)) {

+            apr_brigade_cleanup(b);

+            ap_die(HTTP_INTERNAL_SERVER_ERROR, r);

+            return AP_FILTER_ERROR;

+        }

+        APR_BUCKET_REMOVE(eos);

+        apr_brigade_cleanup(b);

+        APR_BRIGADE_INSERT_TAIL(b, eos);

+        r->status = HTTP_INTERNAL_SERVER_ERROR;

+        r->content_type = r->content_encoding = NULL;

+        r->content_languages = NULL;

+        ap_set_content_length(r, 0);

+    }

+    else if (eb) {

+        int status;

         status = eb->status;

         apr_brigade_cleanup(b);

         ap_die(status, r);

@@ -1264,6 +1426,10 @@

         apr_table_unset(r->headers_out, "Content-Length");

     }

+    if (r->status == HTTP_NO_CONTENT) {

+        apr_table_unset(r->headers_out, "Content-Length");

+    }

+

     ctype = ap_make_content_type(r, r->content_type);

     if (ctype) {

         apr_table_setn(r->headers_out, "Content-Type", ctype);

@@ -1352,11 +1518,11 @@

     terminate_header(b2);

     ap_pass_brigade(f->next, b2);

+    ctx->headers_sent = 1;

-    if (r->header_only) {

+    if (r->header_only || r->status == HTTP_NO_CONTENT) {

         apr_brigade_cleanup(b);

-        ctx->headers_sent = 1;

-        return OK;

+        return APR_SUCCESS;

     }

     r->sent_bodyct = 1;         /* Whatever follows is real body stuff... */

diff -uap httpd-2.4.6/server/core.c.cve8743 httpd-2.4.6/server/core.c

--- httpd-2.4.6/server/core.c.cve8743

+++ httpd-2.4.6/server/core.c

@@ -506,6 +506,15 @@

     if (virt->trace_enable != AP_TRACE_UNSET)

         conf->trace_enable = virt->trace_enable;

+    if (virt->http09_enable != AP_HTTP09_UNSET)

+        conf->http09_enable = virt->http09_enable;

+

+    if (virt->http_conformance != AP_HTTP_CONFORMANCE_UNSET)

+        conf->http_conformance = virt->http_conformance;

+

+    if (virt->http_methods != AP_HTTP_METHODS_UNSET)

+        conf->http_methods = virt->http_methods;

+

     /* no action for virt->accf_map, not allowed per-vhost */

     if (virt->protocol)

@@ -3632,6 +3641,57 @@

     return NULL;

 }

+static const char *set_http_protocol_options(cmd_parms *cmd, void *dummy,

+                                             const char *arg)

+{

+    core_server_config *conf =

+        ap_get_core_module_config(cmd->server->module_config);

+

+    if (strcasecmp(arg, "allow0.9") == 0)

+        conf->http09_enable |= AP_HTTP09_ENABLE;

+    else if (strcasecmp(arg, "require1.0") == 0)

+        conf->http09_enable |= AP_HTTP09_DISABLE;

+    else if (strcasecmp(arg, "strict") == 0)

+        conf->http_conformance |= AP_HTTP_CONFORMANCE_STRICT;

+    else if (strcasecmp(arg, "unsafe") == 0)

+        conf->http_conformance |= AP_HTTP_CONFORMANCE_UNSAFE;

+    else if (strcasecmp(arg, "registeredmethods") == 0)

+        conf->http_methods |= AP_HTTP_METHODS_REGISTERED;

+    else if (strcasecmp(arg, "lenientmethods") == 0)

+        conf->http_methods |= AP_HTTP_METHODS_LENIENT;

+    else

+        return "HttpProtocolOptions accepts "

+               "'Unsafe' or 'Strict' (default), "

+               "'RegisteredMethods' or 'LenientMethods' (default), and "

+               "'Require1.0' or 'Allow0.9' (default)";

+

+    if ((conf->http09_enable & AP_HTTP09_ENABLE)

+            && (conf->http09_enable & AP_HTTP09_DISABLE))

+        return "HttpProtocolOptions 'Allow0.9' and 'Require1.0'"

+               " are mutually exclusive";

+

+    if ((conf->http_conformance & AP_HTTP_CONFORMANCE_STRICT)

+            && (conf->http_conformance & AP_HTTP_CONFORMANCE_UNSAFE))

+        return "HttpProtocolOptions 'Strict' and 'Unsafe'"

+               " are mutually exclusive";

+

+    if ((conf->http_methods & AP_HTTP_METHODS_REGISTERED)

+            && (conf->http_methods & AP_HTTP_METHODS_LENIENT))

+        return "HttpProtocolOptions 'RegisteredMethods' and 'LenientMethods'"

+               " are mutually exclusive";

+

+    return NULL;

+}

+

+static const char *set_http_method(cmd_parms *cmd, void *conf, const char *arg)

+{

+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);

+    if (err != NULL)

+        return err;

+    ap_method_register(cmd->pool, arg);

+    return NULL;

+}

+

 static apr_hash_t *errorlog_hash;

 static int log_constant_item(const ap_errorlog_info *info, const char *arg,

@@ -4143,6 +4203,13 @@

               "'on' (default), 'off' or 'extended' to trace request body content"),

 AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,

               "merge request trailers into request headers or not"),

+AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CONF,

+                "'Allow0.9' or 'Require1.0' (default); "

+                "'RegisteredMethods' or 'LenientMethods' (default); "

+                "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules")

+,

+AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF,

+                "Registers non-standard HTTP methods"),

 { NULL }

 };

diff -uap httpd-2.4.6/server/gen_test_char.c.cve8743 httpd-2.4.6/server/gen_test_char.c

--- httpd-2.4.6/server/gen_test_char.c.cve8743

+++ httpd-2.4.6/server/gen_test_char.c

@@ -16,11 +16,11 @@

 #ifdef CROSS_COMPILE

+#include <ctype.h>

 #define apr_isalnum(c) (isalnum(((unsigned char)(c))))

 #define apr_isalpha(c) (isalpha(((unsigned char)(c))))

 #define apr_iscntrl(c) (iscntrl(((unsigned char)(c))))

 #define apr_isprint(c) (isprint(((unsigned char)(c))))

-#include <ctype.h>

 #define APR_HAVE_STDIO_H 1

 #define APR_HAVE_STRING_H 1

@@ -52,11 +52,13 @@

 #define T_ESCAPE_LOGITEM      (0x10)

 #define T_ESCAPE_FORENSIC     (0x20)

 #define T_ESCAPE_URLENCODED   (0x40)

+#define T_HTTP_CTRLS          (0x80)

+#define T_VCHAR_OBSTEXT      (0x100)

 int main(int argc, char *argv[])

 {

     unsigned c;

-    unsigned char flags;

+    unsigned short flags;

     printf("/* this file is automatically generated by gen_test_char, "

            "do not edit */\n"

@@ -67,19 +69,23 @@

            "#define T_ESCAPE_LOGITEM       (%u)\n"

            "#define T_ESCAPE_FORENSIC      (%u)\n"

            "#define T_ESCAPE_URLENCODED    (%u)\n"

+           "#define T_HTTP_CTRLS           (%u)\n"