httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From field...@hyperreal.org
Subject cvs commit: apache-1.3/src/main http_core.c
Date Fri, 30 Oct 1998 03:08:56 GMT
fielding    98/10/29 19:08:56

  Modified:    src      CHANGES
               src/include http_log.h
               src/main http_core.c
  Log:
  Eliminate DoS attack when a bad URI path contains what
  looks like a printf format escape.  This was caused by allowing
  tainted data from the network to be placed within the format string
  of a call to ap_log_rerror.
  
  PR: Reported by Remco van de Meent <rvdmeent@xs4all.nl>, Studenten Net Twente
  Submitted by:	Marc Slemko
  Reviewed by:	Roy Fielding
  
  Revision  Changes    Path
  1.1129    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1128
  retrieving revision 1.1129
  diff -u -r1.1128 -r1.1129
  --- CHANGES	1998/10/28 19:33:52	1.1128
  +++ CHANGES	1998/10/30 03:08:52	1.1129
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.4
   
  +  *) SECURITY: Eliminate DoS attack when a bad URI path contains what
  +     looks like a printf format escape.  [Marc Slemko, Studenten Net Twente]
  +
     *) Fix in mod_autoindex: for files where the last modified time stamp was
        unavailable, an empty string was printed which was 2 bytes short.
        The size and description columns were therefore not aligned correctly.
  
  
  
  1.32      +9 -0      apache-1.3/src/include/http_log.h
  
  Index: http_log.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v
  retrieving revision 1.31
  retrieving revision 1.32
  diff -u -r1.31 -r1.32
  --- http_log.h	1998/08/06 17:30:24	1.31
  +++ http_log.h	1998/10/30 03:08:55	1.32
  @@ -105,6 +105,15 @@
   #define APLOG_MARK	__FILE__,__LINE__
   
   void ap_open_logs (server_rec *, pool *p);
  +
  +/* The two primary logging functions, ap_log_error and ap_log_rerror,
  + * use a printf style format string to build the log message.  It is
  + * VERY IMPORTANT that you not include any raw data from the network,
  + * such as the request-URI or request header fields, within the format
  + * string.  Doing so makes the server vulnerable to a denial-of-service
  + * attack and other messy behavior.  Instead, use a simple format string
  + * like "%s", followed by the string containing the untrusted data.
  + */
   API_EXPORT(void) ap_log_error(const char *file, int line, int level,
   			     const server_rec *s, const char *fmt, ...)
   			    __attribute__((format(printf,5,6)));
  
  
  
  1.238     +1 -1      apache-1.3/src/main/http_core.c
  
  Index: http_core.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
  retrieving revision 1.237
  retrieving revision 1.238
  diff -u -r1.237 -r1.238
  --- http_core.c	1998/10/23 20:07:39	1.237
  +++ http_core.c	1998/10/30 03:08:55	1.238
  @@ -2783,7 +2783,7 @@
   	else {
   	    emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL);
   	}
  -	ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg);
  +	ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg);
   	return HTTP_NOT_FOUND;
       }
       if (r->method_number != M_GET) {
  
  
  

Mime
View raw message