httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@hyperreal.org
Subject cvs commit: apache-1.3/src/modules/standard mod_vhost_alias.c
Date Mon, 20 Dec 1999 17:43:42 GMT
fanf        99/12/20 09:43:41

  Modified:    src      CHANGES
               src/main http_protocol.c http_vhost.c
               src/modules/standard mod_vhost_alias.c
  Log:
  A better fix for the mass virtual hosting security problem spotted by Lars.
  This solves the problem for mod_rewrite setups as well as mod_vhost_alias.
  Submitted by:	Ben Hyde
  Reviewed by:	Tony Finch
  
  Revision  Changes    Path
  1.1484    +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1483
  retrieving revision 1.1484
  diff -u -r1.1483 -r1.1484
  --- CHANGES	1999/12/17 22:25:11	1.1483
  +++ CHANGES	1999/12/20 17:43:25	1.1484
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.10
   
  +  *) More rigorous checking of Host: headers to fix security problems
  +     with mass name-based virtual hosting (whether using mod_rewrite
  +     or mod_vhost_alias).
  +     [Ben Hyde, Tony Finch]
  +
     *) Updated README.config to reflect current APACI state.
        [Brian Slesinsky <bslesins@best.com>] PR#5397
   
  
  
  
  1.284     +3 -1      apache-1.3/src/main/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
  retrieving revision 1.283
  retrieving revision 1.284
  diff -u -r1.283 -r1.284
  --- http_protocol.c	1999/12/09 12:05:03	1.283
  +++ http_protocol.c	1999/12/20 17:43:35	1.284
  @@ -1045,7 +1045,7 @@
       r->status = HTTP_OK;                         /* Until further notice. */
   
       /* update what we think the virtual host is based on the headers we've
  -     * now read
  +     * now read. may update status.
        */
       ap_update_vhost_from_headers(r);
   
  @@ -1068,6 +1068,8 @@
           ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                         "client sent HTTP/1.1 request without hostname "
                         "(see RFC2068 section 9, and 14.23): %s", r->uri);
  +    }
  +    if (r->status != HTTP_OK) {
           ap_send_error_response(r, 0);
           ap_log_transaction(r);
           return r;
  
  
  
  1.16      +41 -10    apache-1.3/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_vhost.c,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- http_vhost.c	1999/01/01 19:04:51	1.15
  +++ http_vhost.c	1999/12/20 17:43:37	1.16
  @@ -657,22 +657,51 @@
    * run-time vhost matching functions
    */
   
  -/* Remove :port and optionally a single trailing . from the hostname, this
  - * canonicalizes it somewhat.
  +/* Lowercase and remove any trailing dot and/or :port from the hostname,
  + * and check that it is sane.
    */
   static void fix_hostname(request_rec *r)
   {
  -    const char *hostname = r->hostname;
  -    char *host = ap_getword(r->pool, &hostname, ':');	/* get rid of port */
  -    size_t l;
  -
  -    /* trim a trailing . */
  -    l = strlen(host);
  -    if (l > 0 && host[l-1] == '.') {
  -        host[l-1] = '\0';
  +    char *host = ap_palloc(r->pool, strlen(r->hostname) + 1);
  +    const char *src;
  +    char *dst;
  +
  +    /* check and copy the host part */
  +    src = r->hostname;
  +    dst = host;
  +    while (*src) {
  +	if (!isalnum(*src) && *src != '.' && *src != '-') {
  +	    if (*src == ':')
  +		break;
  +	    else
  +		goto bad;
  +	} else {
  +	    *dst++ = tolower(*src++);
  +	}
  +    }
  +    /* check the port part */
  +    if (*src++ == ':') {
  +	while (*src) {
  +	    if (!isdigit(*src++)) {
  +		goto bad;
  +	    }
  +	}
  +    }
  +    /* strip trailing gubbins */
  +    if (dst > host && dst[-1] == '.') {
  +	dst[-1] = '\0';
  +    } else {
  +	dst[0] = '\0';
       }
   
       r->hostname = host;
  +    return;
  +
  +bad:
  +    r->status = HTTP_BAD_REQUEST;
  +    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  +		  "Client sent malformed Host header");
  +    return;
   }
   
   
  @@ -874,6 +903,8 @@
       /* must set this for HTTP/1.1 support */
       if (r->hostname || (r->hostname = ap_table_get(r->headers_in, "Host"))) {
   	fix_hostname(r);
  +	if (r->status != HTTP_OK)
  +	    return;
       }
       /* check if we tucked away a name_chain */
       if (r->connection->vhost_lookup_data) {
  
  
  
  1.4       +6 -12     apache-1.3/src/modules/standard/mod_vhost_alias.c
  
  Index: mod_vhost_alias.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_vhost_alias.c,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- mod_vhost_alias.c	1999/12/20 05:24:22	1.3
  +++ mod_vhost_alias.c	1999/12/20 17:43:40	1.4
  @@ -278,8 +278,8 @@
       }
   }
   
  -static int vhost_alias_interpolate(request_rec *r, const char *name,
  -				   const char *map, const char *uri)
  +static void vhost_alias_interpolate(request_rec *r, const char *name,
  +				    const char *map, const char *uri)
   {
       /* 0..9 9..0 */
       enum { MAXDOTS = 19 };
  @@ -390,11 +390,8 @@
   	    }
   	}
   	vhost_alias_checkspace(r, buf, &dest, end - start);
  -	for (p = start; p < end; ++p) {
  -	    if (!isalnum(*p) && *p != '-' && *p != '.')
  -		return HTTP_BAD_REQUEST;
  -	    *dest++ = ap_tolower(*p);
  -	}
  +	memcpy(dest, start, end-start);
  +	dest += end-start;
       }
       *dest = '\0';
       /* no double slashes */
  @@ -407,7 +404,6 @@
       else {
   	r->filename = ap_pstrcat(r->pool, buf, uri, NULL);
       }
  -    return OK;
   }
   
   static int mva_translate(request_rec *r)
  @@ -415,7 +411,7 @@
       mva_sconf_t *conf;
       const char *name, *map, *uri;
       mva_mode_e mode;
  -    int cgi, bad;
  +    int cgi;
     
       conf = (mva_sconf_t *) ap_get_module_config(r->server->module_config,
   					      &vhost_alias_module);
  @@ -449,9 +445,7 @@
   	return DECLINED;
       }
   
  -    bad = vhost_alias_interpolate(r, name, map, uri);
  -    if (bad != OK)
  -	return bad;
  +    vhost_alias_interpolate(r, name, map, uri);
   
       if (cgi) {
   	/* see is_scriptaliased() in mod_cgi */
  
  
  

Mime
View raw message