httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject cvs commit: apache-1.3/src/main util_script.c
Date Thu, 21 Mar 2002 16:07:02 GMT
wrowe       02/03/21 08:07:02

  Modified:    src      CHANGES
               src/main util_script.c
  Log:
    Introduce proper escaping of command.com and cmd.exe for Win32.
    These patches close vulnerability CAN-2002-0061, identified and
    reported by Ory Segal <ory.segal@sanctuminc> 13 Feb 2002, by which
    any invocation of .bat or .cmd files permit system comprimize
    when cmd.exe parsed the args passed from QUERY_STRING.
    [William Rowe]
  
    Patches of the set reviewed by Allan Edwards and Bill Stoddard,
    while the security solutions were reviewed at length by the entire
    security community at the ASF.
  
  Revision  Changes    Path
  1.1793    +31 -0     apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1792
  retrieving revision 1.1793
  diff -u -r1.1792 -r1.1793
  --- CHANGES	21 Mar 2002 14:52:55 -0000	1.1792
  +++ CHANGES	21 Mar 2002 16:07:01 -0000	1.1793
  @@ -1,5 +1,36 @@
   Changes with Apache 1.3.24
   
  +
  +  *) Introduce proper escaping of command.com and cmd.exe for Win32.
  +     These patches close vulnerability CAN-2002-0061, identified and
  +     reported by Ory Segal <ory.segal@sanctuminc>, by which any CGI
  +     invocation of .bat or .cmd files could comprimize the system 
  +     when the .bat or .cmd was parsed the query args as an argument 
  +     to either cmd.exe /c or command.com /c.  [William Rowe]
  +
  +  *) Add % and \r [C/R] to the dangerous Win32 shell character list.
  +     Retain the Unix sh escapes list for compatibility.
  +     [William Rowe]
  +
  +  *) Pass the command line to the cmd.exe /c interpreter double quoted.
  +     This fixes a bug that CGI args ending in a double-quote would 
  +     cause invocation to fail.  Also, treat command.com as a 16-bit 
  +     executable.  [William Rowe]
  +
  +  *) Win32; Never invoke cmd or bat scripts based on the registry, even 
  +     for 'ScriptInterpreterSource Registry' enabled.  [William Rowe]
  +
  + *) Provide Win32 users a log of the cgi command invoked, to assist
  +     in debugging scripts at LogLevel info.  Also provide env vars
  +     at LogLevel debug for additional help to admins troubleshooting
  +     the ever mysterious "Premature end of script headers" error.
  +     [Aaron Bannert]
  +
  +  *) Added the 'CgiCommandArgs off' directive, to allow admins
  +     to disable the query argument passing mechanism in Apache,
  +     if future cgi arguments vulnerabilities should be discovered.
  +     [Aaron Bannert]
  +
     *) When a proxied site was being served, Apache was replacing
        the original site Server header with it's own, which is not
        allowed by RFC2616. Fixed. [Graham Leggett]
  
  
  
  1.165     +24 -1     apache-1.3/src/main/util_script.c
  
  Index: util_script.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/util_script.c,v
  retrieving revision 1.164
  retrieving revision 1.165
  diff -u -r1.164 -r1.165
  --- util_script.c	21 Mar 2002 06:04:27 -0000	1.164
  +++ util_script.c	21 Mar 2002 16:07:02 -0000	1.165
  @@ -1016,10 +1016,33 @@
          
                   /*
                    * We need to unescape any characters that are 
  -                 * in the arguments list.
  +                 * in the arguments list.  Truncate to 4000
  +                 * characters for safety, being careful of the
  +                 * now-escaped characters.
                    */
                   ap_unescape_url(arguments);
                   arguments = ap_escape_shell_cmd(r->pool, arguments);
  +                if (strlen(arguments) > 4000)
  +                {
  +                    int len = 4000;
  +                    while (len && arguments[len - 1] == '\\') {
  +                        --len;
  +                    }
  +                    arguments[len] = '\0';
  +                }
  +
  +                /*
  +                 * Now that the arguments list is 'shell' escaped with
  +                 * backslashes, we need to make cmd.exe/command.com 
  +                 * safe from this same set of characters.
  +                 */
  +                if (fileType == eCommandShell32) {
  +                    arguments = ap_caret_escape_args(r->pool, arguments);
  +                }
  +                else if (fileType == eCommandShell16) {
  +                    arguments = ap_pstrcat(r->pool, "\"", 
  +                            ap_double_quotes(r->pool, arguments), "\"", NULL);
  +                }
               }
   
               /*
  
  
  

Mime
View raw message