httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@hyperreal.org
Subject cvs commit: apache-2.0/src/main http_protocol.c http_vhost.c
Date Tue, 21 Dec 1999 11:33:24 GMT
fanf        99/12/21 03:33:23

  Modified:    src      CHANGES
               src/main http_protocol.c http_vhost.c
  Log:
  Fix the mass vhosting security problem spotted by Lars, as in 1.3
  Submitted by:	Ben Hyde
  Reviewed by:	Tony Finch
  
  Revision  Changes    Path
  1.19      +5 -0      apache-2.0/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/CHANGES,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- CHANGES	1999/12/21 07:54:07	1.18
  +++ CHANGES	1999/12/21 11:33:21	1.19
  @@ -1,4 +1,9 @@
   Changes with Apache 2.0-dev
  +
  +  *) More rigorous checking of Host: headers to fix security problems
  +     with mass name-based virtual hosting (whether using mod_rewrite
  +     or mod_vhost_alias).
  +     [Ben Hyde, Tony Finch]
     
     *) Add back support for UseCanonicalName in <Directory> containers.
        [Manoj Kasichainula]
  
  
  
  1.43      +3 -1      apache-2.0/src/main/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/main/http_protocol.c,v
  retrieving revision 1.42
  retrieving revision 1.43
  diff -u -r1.42 -r1.43
  --- http_protocol.c	1999/12/20 16:38:34	1.42
  +++ http_protocol.c	1999/12/21 11:33:22	1.43
  @@ -1033,7 +1033,7 @@
       r->status = HTTP_OK;                         /* Until further notice. */
   
       /* update what we think the virtual host is based on the headers we've
  -     * now read
  +     * now read. may update status.
        */
       ap_update_vhost_from_headers(r);
   
  @@ -1056,6 +1056,8 @@
           ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
                         "client sent HTTP/1.1 request without hostname "
                         "(see RFC2068 section 9, and 14.23): %s", r->uri);
  +    }
  +    if (r->status != HTTP_OK) {
           ap_send_error_response(r, 0);
           ap_run_log_transaction(r);
           return r;
  
  
  
  1.10      +41 -10    apache-2.0/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/main/http_vhost.c,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- http_vhost.c	1999/12/15 00:59:56	1.9
  +++ http_vhost.c	1999/12/21 11:33:23	1.10
  @@ -658,22 +658,51 @@
    * run-time vhost matching functions
    */
   
  -/* Remove :port and optionally a single trailing . from the hostname, this
  - * canonicalizes it somewhat.
  +/* Lowercase and remove any trailing dot and/or :port from the hostname,
  + * and check that it is sane.
    */
   static void fix_hostname(request_rec *r)
   {
  -    const char *hostname = r->hostname;
  -    char *host = ap_getword(r->pool, &hostname, ':');	/* get rid of port */
  -    size_t l;
  -
  -    /* trim a trailing . */
  -    l = strlen(host);
  -    if (l > 0 && host[l-1] == '.') {
  -        host[l-1] = '\0';
  +    char *host = ap_palloc(r->pool, strlen(r->hostname) + 1);
  +    const char *src;
  +    char *dst;
  +
  +    /* check and copy the host part */
  +    src = r->hostname;
  +    dst = host;
  +    while (*src) {
  +	if (!isalnum(*src) && *src != '.' && *src != '-') {
  +	    if (*src == ':')
  +		break;
  +	    else
  +		goto bad;
  +	} else {
  +	    *dst++ = *src++;
  +	}
  +    }
  +    /* check the port part */
  +    if (*src++ == ':') {
  +	while (*src) {
  +	    if (!isdigit(*src++)) {
  +		goto bad;
  +	    }
  +	}
  +    }
  +    /* strip trailing gubbins */
  +    if (dst > host && dst[-1] == '.') {
  +	dst[-1] = '\0';
  +    } else {
  +	dst[0] = '\0';
       }
   
       r->hostname = host;
  +    return;
  +
  +bad:
  +    r->status = HTTP_BAD_REQUEST;
  +    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  +		  "Client sent malformed Host header");
  +    return;
   }
   
   
  @@ -876,6 +905,8 @@
       /* must set this for HTTP/1.1 support */
       if (r->hostname || (r->hostname = ap_table_get(r->headers_in, "Host"))) {
   	fix_hostname(r);
  +	if (r->status != HTTP_OK)
  +	    return;
       }
       /* check if we tucked away a name_chain */
       if (r->connection->vhost_lookup_data) {
  
  
  

Mime
View raw message