httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/proxy proxy_ftp.c
Date Fri, 24 Oct 2003 16:19:32 GMT
striker     2003/10/24 09:19:32

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES
               include  Tag: APACHE_2_0_BRANCH httpd.h
               modules/mappers Tag: APACHE_2_0_BRANCH mod_alias.c
                        mod_rewrite.c mod_rewrite.h
               modules/proxy Tag: APACHE_2_0_BRANCH proxy_ftp.c
  Log:
  Fold in the CAN-2003-0542 regex patch.
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.173 +5 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.172
  retrieving revision 1.988.2.173
  diff -u -r1.988.2.172 -r1.988.2.173
  --- CHANGES	23 Oct 2003 20:07:45 -0000	1.988.2.172
  +++ CHANGES	24 Oct 2003 16:19:31 -0000	1.988.2.173
  @@ -1,5 +1,10 @@
   Changes with Apache 2.0.48
   
  +  *) SECURITY: CAN-2003-0542 (cve.mitre.org)
  +     Fix buffer overflows in mod_alias and mod_rewrite which occurred if
  +     one configured a regular expression with more than 9 captures.
  +     [André Malo]
  +
     *) mod_include: fix segfault which occured if the filename was not
        set, for example, when processing some error conditions.
        PR 23836.  [Brian Akins <bakins@web.turner.com>, André Malo]
  
  
  
  No                   revision
  No                   revision
  1.191.2.6 +3 -0      httpd-2.0/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/httpd.h,v
  retrieving revision 1.191.2.5
  retrieving revision 1.191.2.6
  diff -u -r1.191.2.5 -r1.191.2.6
  --- httpd.h	17 Jun 2003 09:47:26 -0000	1.191.2.5
  +++ httpd.h	24 Oct 2003 16:19:31 -0000	1.191.2.6
  @@ -321,6 +321,9 @@
   /** The size of the server's internal read-write buffers */
   #define AP_IOBUFSIZE 8192
   
  +/** The max number of regex captures that can be expanded by ap_pregsub */
  +#define AP_MAX_REG_MATCH 10
  +
   /**
    * APR_HAS_LARGE_FILES introduces the problem of spliting sendfile into 
    * mutiple buckets, no greater than MAX(apr_size_t), and more granular 
  
  
  
  No                   revision
  No                   revision
  1.43.2.3  +3 -4      httpd-2.0/modules/mappers/mod_alias.c
  
  Index: mod_alias.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_alias.c,v
  retrieving revision 1.43.2.2
  retrieving revision 1.43.2.3
  diff -u -r1.43.2.2 -r1.43.2.3
  --- mod_alias.c	24 Apr 2003 16:16:22 -0000	1.43.2.2
  +++ mod_alias.c	24 Oct 2003 16:19:32 -0000	1.43.2.3
  @@ -328,7 +328,7 @@
                               int doesc, int *status)
   {
       alias_entry *entries = (alias_entry *) aliases->elts;
  -    regmatch_t regm[10];
  +    regmatch_t regm[AP_MAX_REG_MATCH];
       char *found = NULL;
       int i;
   
  @@ -337,11 +337,10 @@
           int l;
   
           if (p->regexp) {
  -            if (!ap_regexec(p->regexp, r->uri, p->regexp->re_nsub + 1, regm,
  -                            0)) {
  +            if (!ap_regexec(p->regexp, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
                   if (p->real) {
                       found = ap_pregsub(r->pool, p->real, r->uri,
  -                                    p->regexp->re_nsub + 1, regm);
  +                                       AP_MAX_REG_MATCH, regm);
                       if (found && doesc) {
                           apr_uri_t uri;
                           apr_uri_parse(r->pool, found, &uri);
  
  
  
  1.135.2.18 +5 -6      httpd-2.0/modules/mappers/mod_rewrite.c
  
  Index: mod_rewrite.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_rewrite.c,v
  retrieving revision 1.135.2.17
  retrieving revision 1.135.2.18
  diff -u -r1.135.2.17 -r1.135.2.18
  --- mod_rewrite.c	30 Sep 2003 17:41:58 -0000	1.135.2.17
  +++ mod_rewrite.c	24 Oct 2003 16:19:32 -0000	1.135.2.18
  @@ -1940,7 +1940,7 @@
       const char *vary;
       char newuri[MAX_STRING_LEN];
       regex_t *regexp;
  -    regmatch_t regmatch[MAX_NMATCH];
  +    regmatch_t regmatch[AP_MAX_REG_MATCH];
       backrefinfo *briRR = NULL;
       backrefinfo *briRC = NULL;
       int prefixstrip;
  @@ -1997,7 +1997,7 @@
           rewritelog(r, 3, "[per-dir %s] applying pattern '%s' to uri '%s'",
                      perdir, p->pattern, uri);
       }
  -    rc = (ap_regexec(regexp, uri, regexp->re_nsub+1, regmatch, 0) == 0);
  +    rc = (ap_regexec(regexp, uri, AP_MAX_REG_MATCH, regmatch, 0) == 0);
       if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) ||
              (!rc &&  (p->flags & RULEFLAG_NOTMATCH))   ) ) {
           return 0;
  @@ -2293,7 +2293,7 @@
       char input[MAX_STRING_LEN];
       apr_finfo_t sb;
       request_rec *rsub;
  -    regmatch_t regmatch[MAX_NMATCH];
  +    regmatch_t regmatch[AP_MAX_REG_MATCH];
       int rc;
   
       /*
  @@ -2398,8 +2398,7 @@
       }
       else {
           /* it is really a regexp pattern, so apply it */
  -        rc = (ap_regexec(p->regexp, input,
  -                         p->regexp->re_nsub+1, regmatch,0) == 0);
  +        rc = (ap_regexec(p->regexp, input, AP_MAX_REG_MATCH, regmatch,0) == 0);
   
           /* if it isn't a negated pattern and really matched
              we update the passed-through regex subst info structure */
  @@ -2558,7 +2557,7 @@
                   bri = briRC;
               }
               /* see ap_pregsub() in src/main/util.c */
  -            if (bri && n <= bri->nsub
  +            if (bri && n < AP_MAX_REG_MATCH
                   && bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) {
                   span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so;
                   if (span > space) {
  
  
  
  1.39.2.6  +1 -3      httpd-2.0/modules/mappers/mod_rewrite.h
  
  Index: mod_rewrite.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/mappers/mod_rewrite.h,v
  retrieving revision 1.39.2.5
  retrieving revision 1.39.2.6
  diff -u -r1.39.2.5 -r1.39.2.6
  --- mod_rewrite.h	31 Jul 2003 23:43:37 -0000	1.39.2.5
  +++ mod_rewrite.h	24 Oct 2003 16:19:32 -0000	1.39.2.6
  @@ -210,8 +210,6 @@
   /*** max cookie size in rfc 2109 ***/
   #define MAX_COOKIE_LEN 4096
   
  -#define MAX_NMATCH    10
  -
   /* default maximum number of internal redirects */
   #define REWRITE_REDIRECT_LIMIT 10
   
  @@ -333,7 +331,7 @@
   typedef struct backrefinfo {
       char *source;
       int nsub;
  -    regmatch_t regmatch[10];
  +    regmatch_t regmatch[AP_MAX_REG_MATCH];
   } backrefinfo;
   
   
  
  
  
  No                   revision
  No                   revision
  1.130.2.3 +7 -3      httpd-2.0/modules/proxy/proxy_ftp.c
  
  Index: proxy_ftp.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_ftp.c,v
  retrieving revision 1.130.2.2
  retrieving revision 1.130.2.3
  diff -u -r1.130.2.2 -r1.130.2.3
  --- proxy_ftp.c	9 Jul 2003 10:59:56 -0000	1.130.2.2
  +++ proxy_ftp.c	24 Oct 2003 16:19:32 -0000	1.130.2.3
  @@ -319,6 +319,10 @@
       }    state;
   }      proxy_dir_ctx_t;
   
  +/* fallback regex for ls -s1;  ($0..$2) == 3 */
  +#define LS_REG_PATTERN "^ *([0-9]+) +([^ ]+)$"
  +#define LS_REG_MATCH   3
  +
   apr_status_t ap_proxy_send_dir_filter(ap_filter_t *f, apr_bucket_brigade *in)
   {
       request_rec *r = f->r;
  @@ -462,10 +466,10 @@
           int eos = 0;
   
           regex_t *re = NULL;
  -        regmatch_t re_result[3];
  +        regmatch_t re_result[LS_REG_MATCH];
   
           /* Compile the output format of "ls -s1" as a fallback for non-unix ftp listings
*/
  -        re = ap_pregcomp(p, "^ *([0-9]+) +([^ ]+)$", REG_EXTENDED);
  +        re = ap_pregcomp(p, LS_REG_PATTERN, REG_EXTENDED);
   
           /* get a complete line */
           /* if the buffer overruns - throw data away */
  @@ -581,7 +585,7 @@
               }
           }
           /* Try a fallback for listings in the format of "ls -s1" */
  -        else if (0 == ap_regexec(re, ctx->buffer, 3, re_result, 0)) {
  +        else if (0 == ap_regexec(re, ctx->buffer, LS_REG_MATCH, re_result, 0)) {
   
               filename = apr_pstrndup(p, &ctx->buffer[re_result[2].rm_so], re_result[2].rm_eo
- re_result[2].rm_so);
   
  
  
  

Mime
View raw message