httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/generators mod_cgid.c
Date Sun, 26 Oct 2003 23:25:44 GMT
striker     2003/10/26 15:25:44

  Modified:    .        CHANGES
               modules/generators mod_cgid.c
  Log:
  Forward port from 2.0:
  
  SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
  the AF_UNIX socket used to communicate with the cgid daemon and
  the CGI script.
  
  Submitted by: Jeff Trawick
  
  Revision  Changes    Path
  1.1300    +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1299
  retrieving revision 1.1300
  diff -u -r1.1299 -r1.1300
  --- CHANGES	24 Oct 2003 16:20:27 -0000	1.1299
  +++ CHANGES	26 Oct 2003 23:25:44 -0000	1.1300
  @@ -210,6 +210,10 @@
   
   Changes with Apache 2.0.48
   
  +  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
  +     the AF_UNIX socket used to communicate with the cgid daemon and
  +     the CGI script.  [Jeff Trawick]
  +
     *) SECURITY: CAN-2003-0542 (cve.mitre.org)
        Fix buffer overflows in mod_alias and mod_rewrite which occurred if
        one configured a regular expression with more than 9 captures.
  
  
  
  1.158     +10 -25    httpd-2.0/modules/generators/mod_cgid.c
  
  Index: mod_cgid.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/generators/mod_cgid.c,v
  retrieving revision 1.157
  retrieving revision 1.158
  diff -u -r1.157 -r1.158
  --- mod_cgid.c	2 Oct 2003 11:58:57 -0000	1.157
  +++ mod_cgid.c	26 Oct 2003 23:25:44 -0000	1.158
  @@ -1355,11 +1355,13 @@
                                 cleanup_script,
                                 apr_pool_cleanup_null);
       /* We are putting the socket discriptor into an apr_file_t so that we can
  -     * use a pipe bucket to send the data to the client.
  -     * Note that this does not register a cleanup for the socket.  We did
  -     * that explicitly right after we created the socket.
  +     * use a pipe bucket to send the data to the client.  APR will create
  +     * a cleanup for the apr_file_t which will close the socket, so we'll
  +     * get rid of the cleanup we registered when we created the socket.
        */
  -    apr_os_pipe_put(&tempsock, &sd, r->pool);
  +    
  +    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
  +    apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
   
       if ((argv0 = strrchr(r->filename, '/')) != NULL) 
           argv0++; 
  @@ -1492,24 +1494,12 @@
               return HTTP_MOVED_TEMPORARILY; 
           } 
   
  -        /* Passing our socket down the filter chain in a pipe bucket
  -         * gives up the responsibility of closing the socket, so
  -         * get rid of the cleanup.
  -         */
  -        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
  -
           ap_pass_brigade(r->output_filters, bb);
       } 
   
       if (nph) {
           struct ap_filter_t *cur;
           
  -        /* Passing our socket down the filter chain in a pipe bucket
  -         * gives up the responsibility of closing the socket, so
  -         * get rid of the cleanup.
  -         */
  -        apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
  -
           /* get rid of all filters up through protocol...  since we
            * haven't parsed off the headers, there is no way they can
            * work
  @@ -1658,16 +1648,11 @@
                                 apr_pool_cleanup_null);
   
       /* We are putting the socket discriptor into an apr_file_t so that we can
  -     * use a pipe bucket to send the data to the client.
  -     * Note that this does not register a cleanup for the socket.  We did
  -     * that explicitly right after we created the socket.
  -     */
  -    apr_os_pipe_put(&tempsock, &sd, r->pool);
  -
  -    /* Passing our socket down the filter chain in a pipe bucket
  -     * gives up the responsibility of closing the socket, so
  -     * get rid of the cleanup.
  +     * use a pipe bucket to send the data to the client.  APR will create
  +     * a cleanup for the apr_file_t which will close the socket, so we'll
  +     * get rid of the cleanup we registered when we created the socket.
        */
  +    apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
       apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket);
   
       APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
  
  
  

Mime
View raw message