httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57832] Reduction of response splitting attacks consequences in mod_proxy
Date Wed, 13 May 2015 18:58:55 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57832

--- Comment #7 from regilero <regis.leroy@makina-corpus.com> ---
I made some tests with the last patch, on top of r1656259 's patch.

If the extra content injected after the 1st response is less than 8000 bytes
(more or less) I get 1 for the return of is_socket_connected instead of 2
(USE_ALTERNATE_IS_CONNECTED && defined(APR_MSG_PEEK version). Not always, the
attack succeed at 90%. With a big injected response the socket read is not
empty and is_socket_connected is detecting this fact, but I do not get any
response (no 502/503/400, just an RST).

So it means the real socket is empty (tested it with real reads and timeouts),
but something as already stored this extra content and this storage is
associated with the socket. So quite certainly something like some buckets
which are not cleaned up after the 1st request. Note that this is hiding a
potential problem that I had to fix on the 1st patch with backends sending one
extra \r\n after the first response.

But I think the final solution will have to mix this is_socket_connected and a
real cleanup of all data read from the socket while processing the first
response.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message