Bugzilla – Attachment 44777 Details for
Bug 95709
VUL-0: CVE-2005-2088: apache2 request smuggling?
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
fix in 1.3 branch
httpd-r218988 (text/plain), 6.78 KB, created by
Peter Poeml
on 2005-08-04 09:19:30 UTC
(
hide
)
Description:
fix in 1.3 branch
Filename:
MIME Type:
Creator:
Peter Poeml
Created:
2005-08-04 09:19:30 UTC
Size:
6.78 KB
patch
obsolete
>From cvs-return-22339-poeml=suse.de@httpd.apache.org Thu Jul 14 07:19:35 2005 >Return-Path: <cvs-return-22339-poeml=suse.de@httpd.apache.org> >X-Original-To: poeml@wotan.suse.de >Received: from Relay2.suse.de (relay2.suse.de [IPv6:2001:780:101:0:211:25ff:fe4a:7b6e]) > by wotan.suse.de (Postfix) with ESMTP id AB081366657 > for <poeml@wotan.suse.de>; Thu, 14 Jul 2005 07:19:35 +0200 (CEST) >Received: by Relay2.suse.de (Postfix) > id A2EC2118C0; Thu, 14 Jul 2005 07:19:35 +0200 (CEST) >Received: from Relay2.suse.de (localhost [127.0.0.1]) > by Relay2.suse.de (Postfix) with ESMTP id 91AF6118B8 > for <poeml@suse.de>; Thu, 14 Jul 2005 07:19:35 +0200 (CEST) >Received: from Relay2.suse.de ([127.0.0.1]) > by Relay2.suse.de (Relay2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP > id 02281-15 for <poeml@suse.de>; Thu, 14 Jul 2005 07:19:34 +0200 (CEST) >Received: from mx1.suse.de (mail.suse.de [195.135.220.2]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by Relay2.suse.de (Postfix) with ESMTP id 652EED153 > for <poeml@suse.de>; Thu, 14 Jul 2005 07:19:34 +0200 (CEST) >Received: from mail.apache.org (hermes.apache.org [209.237.227.199]) > by mx1.suse.de (Postfix) with SMTP id C1CD2EE5C > for <poeml@suse.de>; Thu, 14 Jul 2005 07:19:33 +0200 (CEST) >Received: (qmail 57060 invoked by uid 500); 14 Jul 2005 05:19:32 -0000 >Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm >Precedence: bulk >Reply-To: dev@httpd.apache.org >list-help: <mailto:cvs-help@httpd.apache.org> >list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org> >List-Post: <mailto:cvs@httpd.apache.org> >List-Id: <cvs.httpd.apache.org> >Delivered-To: mailing list cvs@httpd.apache.org >Received: (qmail 57047 invoked by uid 99); 14 Jul 2005 05:19:31 -0000 >X-ASF-Spam-Status: No, hits=-9.8 required=10.0 > tests=ALL_TRUSTED,NO_REAL_NAME >X-Spam-Check-By: apache.org >Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) > by apache.org (qpsmtpd/0.29) with SMTP; Wed, 13 Jul 2005 22:19:20 -0700 >Received: (qmail 97562 invoked by uid 65534); 14 Jul 2005 05:19:18 -0000 >Message-ID: <20050714051918.97561.qmail@minotaur.apache.org> >Content-Type: text/plain; charset="utf-8" >MIME-Version: 1.0 >Content-Transfer-Encoding: 7bit >Subject: svn commit: r218988 - > /httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c >Date: Thu, 14 Jul 2005 05:19:17 -0000 >To: cvs@httpd.apache.org >From: wrowe@apache.org >X-Mailer: svnmailer-1.0.2 >X-Virus-Checked: Checked by ClamAV on apache.org >X-Virus-Scanned: by amavisd-new at Relay2.suse.de >X-Spam-Status: No, hits=-2.6 tagged_above=-20.0 required=5.0 tests=BAYES_00, > NO_REAL_NAME >X-Spam-Level: >Status: RO >X-Status: F >Content-Length: 4234 > >Author: wrowe >Date: Wed Jul 13 22:19:15 2005 >New Revision: 218988 > >URL: http://svn.apache.org/viewcvs?rev=218988&view=rev >Log: > > Close HTTP response splitting issues in Apache 1.3 - much simpler > than the fix for httpd-2.x as we don't support chunked request > bodies. > >Reviewed by: JimJag > >Modified: > httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c > >Modified: httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c >URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c?rev=218988&r1=218987&r2=218988&view=diff >============================================================================== >--- httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c (original) >+++ httpd/httpd/branches/1.3.x/src/modules/proxy/proxy_http.c Wed Jul 13 22:19:15 2005 >@@ -121,7 +121,7 @@ > char portstr[32]; > pool *p = r->pool; > int destport = 0; >- int chunked = 0; >+ const char *chunked = NULL; > char *destportstr = NULL; > const char *urlptr = NULL; > const char *datestr, *urlstr; >@@ -338,7 +338,12 @@ > ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname); > } > >- /* we don't yet support keepalives - but we will soon, I promise! */ >+ /* we don't yet support keepalives - but we will soon, I promise! >+ * XXX: This introduces various HTTP Request vulnerabilies if not >+ * properly implemented. Before changing this .. be certain to >+ * add a hard-close of the connection if the T-E and C-L headers >+ * are both present, or the C-L header is malformed. >+ */ > ap_table_set(req_hdrs, "Connection", "close"); > > reqhdrs_arr = ap_table_elts(req_hdrs); >@@ -475,25 +480,40 @@ > } > > /* is this content chunked? */ >- chunked = ap_find_last_token(r->pool, >- ap_table_get(resp_hdrs, "Transfer-Encoding"), >- "chunked"); >+ chunked = ap_table_get(resp_hdrs, "Transfer-Encoding"); >+ if (chunked && (strcasecmp(chunked, "chunked") != 0)) { >+ ap_kill_timeout(r); >+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, >+ "Unsupported Transfer-Encoding ", chunked, >+ " from remote server", NULL)); >+ } > > /* strip hop-by-hop headers defined by Connection and RFC2616 */ > ap_proxy_clear_connection(p, resp_hdrs); > > content_length = ap_table_get(resp_hdrs, "Content-Length"); > if (content_length != NULL) { >- c->len = ap_strtol(content_length, NULL, 10); >- >- if (c->len < 0) { >- ap_kill_timeout(r); >- return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, >- "Invalid Content-Length from remote server", >- NULL)); >+ if (chunked) { >+ /* XXX: We would unset keep-alive here, to the proxy >+ * origin server, for safety's sake but we aren't using >+ * keep-alives (we force Connection: close above) >+ */ >+ nocache = 1; /* do not cache this suspect file */ >+ ap_table_unset(resp_hdrs, "Content-Length"); >+ } >+ else { >+ char *len_end; >+ errno = 0; >+ c->len = ap_strtol(content_length, &len_end, 10); >+ >+ if (errno || (c->len < 0) || (len_end && *len_end)) { >+ ap_kill_timeout(r); >+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, >+ "Invalid Content-Length from remote" >+ " server"); >+ } > } > } >- > } > else { > /* an http/0.9 response */ >@@ -612,7 +632,8 @@ > * content length is not known. We need to make 100% sure c->len is always > * set correctly before we get here to correctly do keepalive. > */ >- ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size); >+ ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, >+ conf->io_buffer_size); > } > > /* ap_proxy_send_fb() closes the socket f for us */ > > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=44777">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 95709
:
41427
|
41538
| 44777 |
44785