httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/generators mod_cgid.c
Date Fri, 24 Oct 2003 16:37:06 GMT
striker     2003/10/24 09:37:06

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES
               modules/generators Tag: APACHE_2_0_BRANCH mod_cgid.c
  Log:
  SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
  the AF_UNIX socket used to communicate with the cgid daemon and
  the CGI script.
  
  Submitted by: Jeff Trawick
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.174 +13 -5     httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.173
  retrieving revision 1.988.2.174
  diff -u -r1.988.2.173 -r1.988.2.174
  --- CHANGES	24 Oct 2003 16:19:31 -0000	1.988.2.173
  +++ CHANGES	24 Oct 2003 16:37:05 -0000	1.988.2.174
  @@ -1,9 +1,12 @@
   Changes with Apache 2.0.48
  -
  -  *) SECURITY: CAN-2003-0542 (cve.mitre.org)
  -     Fix buffer overflows in mod_alias and mod_rewrite which occurred if
  -     one configured a regular expression with more than 9 captures.
  -     [André Malo]
  +  
  +  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
  +     the AF_UNIX socket used to communicate with the cgid daemon and
  +     the CGI script.  [Jeff Trawick]
  +
  +  *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
  +     mod_rewrite which occurred if one configured a regular expression
  +     with more than 9 captures.  [André Malo]
   
     *) mod_include: fix segfault which occured if the filename was not
        set, for example, when processing some error conditions.
  @@ -24,6 +27,11 @@
   
     *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
        PR 23416.  [André Malo]
  +
  +
  +  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
  +     the AF_UNIX socket used to communicate with the cgid daemon and
  +     the CGI script.  [Jeff Trawick]
   
     *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
        rewritten request using "proxy:". The code was adding multiple "proxy:"
  
  
  
  No                   revision
  No                   revision
  1.145.2.9 +10 -25    httpd-2.0/modules/generators/mod_cgid.c
  
  Index: mod_cgid.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/generators/mod_cgid.c,v
  retrieving revision 1.145.2.8
  retrieving revision 1.145.2.9
  diff -u -r1.145.2.8 -r1.145.2.9
  --- mod_cgid.c	13 Oct 2003 19:18:21 -0000	1.145.2.8
  +++ mod_cgid.c	24 Oct 2003 16:37:06 -0000	1.145.2.9
  @@ -1329,11 +1329,13 @@
                                 cleanup_script,
                                 apr_pool_cleanup_null);
       /* We are putting the socket discriptor into an apr_file_t so that we can
  -     * use a pipe bucket to send the data to the client.
  -     * Note that this does not register a cleanup for the socket.  We did
  -     * that explicitly right after we created the socket.
  +     * use a pipe bucket to send the data to the client.  APR will create
  +     * a cleanup for the apr_file_t which will close the socket, so we'll
  +     * get rid of the cleanup we registered when we created the socket.
        */
  -    apr_os_pipe_put(&tempsock, &sd, r->pool);
  +    
  +    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
  +    apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
   
       if ((argv0 = strrchr(r->filename, '/')) != NULL) 
           argv0++; 
  @@ -1466,24 +1468,12 @@
               return HTTP_MOVED_TEMPORARILY; 
           } 
   
  -        /* Passing our socket down the filter chain in a pipe bucket
  -         * gives up the responsibility of closing the socket, so
  -         * get rid of the cleanup.
  -         */
  -        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
  -
           ap_pass_brigade(r->output_filters, bb);
       } 
   
       if (nph) {
           struct ap_filter_t *cur;
           
  -        /* Passing our socket down the filter chain in a pipe bucket
  -         * gives up the responsibility of closing the socket, so
  -         * get rid of the cleanup.
  -         */
  -        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
  -
           /* get rid of all filters up through protocol...  since we
            * haven't parsed off the headers, there is no way they can
            * work
  @@ -1660,16 +1650,11 @@
                                 cleanup_script,
                                 apr_pool_cleanup_null);
       /* We are putting the socket discriptor into an apr_file_t so that we can
  -     * use a pipe bucket to send the data to the client.
  -     * Note that this does not register a cleanup for the socket.  We did
  -     * that explicitly right after we created the socket.
  -     */
  -    apr_os_pipe_put(&tempsock, &sd, r->pool);
  -
  -    /* Passing our socket down the filter chain in a pipe bucket
  -     * gives up the responsibility of closing the socket, so
  -     * get rid of the cleanup.
  +     * use a pipe bucket to send the data to the client.  APR will create
  +     * a cleanup for the apr_file_t which will close the socket, so we'll
  +     * get rid of the cleanup we registered when we created the socket.
        */
  +    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
       apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
   
       bcgi = apr_brigade_create(r->pool, r->connection->bucket_alloc);
  
  
  

Mime
View raw message