httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n.@apache.org
Subject cvs commit: httpd-2.0/server log.c util.c
Date Sun, 14 Dec 2003 17:32:04 GMT
nd          2003/12/14 09:32:04

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               include  Tag: APACHE_2_0_BRANCH ap_mmn.h httpd.h
               server   Tag: APACHE_2_0_BRANCH log.c util.c
  Log:
  SECURITY [CAN-2003-0020]: escape arbitrary data before writing into the
  errorlog.
  
  Reviewed by: Mark J Cox, Erik Abele, Jeff Trawick
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.198 +3 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.197
  retrieving revision 1.988.2.198
  diff -u -u -r1.988.2.197 -r1.988.2.198
  --- CHANGES	14 Dec 2003 16:21:43 -0000	1.988.2.197
  +++ CHANGES	14 Dec 2003 17:32:02 -0000	1.988.2.198
  @@ -1,5 +1,8 @@
   Changes with Apache 2.0.49
   
  +  *) SECURITY [CAN-2003-0020]: Escape arbitrary data before writing
  +     into the errorlog.  [André Malo]
  +
     *) mod_autoindex / core: Don't fail to show filenames containing
        special characters like '%'. PR 13598.  [André Malo]
    
  
  
  
  1.751.2.601 +1 -9      httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.600
  retrieving revision 1.751.2.601
  diff -u -u -r1.751.2.600 -r1.751.2.601
  --- STATUS	14 Dec 2003 16:21:43 -0000	1.751.2.600
  +++ STATUS	14 Dec 2003 17:32:03 -0000	1.751.2.601
  @@ -62,14 +62,6 @@
   
   RELEASE SHOWSTOPPERS:
   
  -    * core: Escape arbitrary data before writing into the errorlog
  -      [CAN-2003-0020]  (2.0 + 1.3)
  -        include/ap_mmn.h: r1.61
  -        include/httpd.h: r1.203
  -        server/log.c: r1.136
  -        server/util.c: r1.143
  -      +1: nd, erikabele, trawick
  -
   PATCHES TO BACKPORT FROM 2.1
     [ please place file names and revisions from HEAD here, so it is easy to
       identify exactly what the proposed changes are! ]
  
  
  
  No                   revision
  No                   revision
  1.52.2.5  +2 -1      httpd-2.0/include/ap_mmn.h
  
  Index: ap_mmn.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
  retrieving revision 1.52.2.4
  retrieving revision 1.52.2.5
  diff -u -u -r1.52.2.4 -r1.52.2.5
  --- ap_mmn.h	7 Jul 2003 00:45:23 -0000	1.52.2.4
  +++ ap_mmn.h	14 Dec 2003 17:32:04 -0000	1.52.2.5
  @@ -114,6 +114,7 @@
    * 20020903.2 (2.0.46-dev) add ap_escape_logitem
    * 20020903.3 (2.0.46-dev) allow_encoded_slashes added to core_dir_config
    * 20020903.4 (2.0.47-dev) add ap_is_recursion_limit_exceeded()
  + * 20020903.5 (2.0.49-dev) add ap_escape_errorlog_item()
    */
   
   #define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
  @@ -121,7 +122,7 @@
   #ifndef MODULE_MAGIC_NUMBER_MAJOR
   #define MODULE_MAGIC_NUMBER_MAJOR 20020903
   #endif
  -#define MODULE_MAGIC_NUMBER_MINOR 4                     /* 0...n */
  +#define MODULE_MAGIC_NUMBER_MINOR 5                     /* 0...n */
   
   /**
    * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
  
  
  
  1.191.2.8 +11 -1     httpd-2.0/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/httpd.h,v
  retrieving revision 1.191.2.7
  retrieving revision 1.191.2.8
  diff -u -u -r1.191.2.7 -r1.191.2.8
  --- httpd.h	24 Nov 2003 16:07:52 -0000	1.191.2.7
  +++ httpd.h	14 Dec 2003 17:32:04 -0000	1.191.2.8
  @@ -1371,10 +1371,20 @@
   /**
    * Escape a string for logging
    * @param p The pool to allocate from
  - * @param s The string to escape
  + * @param str The string to escape
    * @return The escaped string
    */
   AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str);
  +
  +/**
  + * Escape a string for logging into the error log (without a pool)
  + * @param dest The buffer to write to
  + * @param source The string to escape
  + * @param buflen The buffer size for the escaped string (including \0)
  + * @return The len of the escaped string (always < maxlen)
  + */
  +AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
  +                                               apr_size_t buflen);
   
   /**
    * Construct a full hostname
  
  
  
  No                   revision
  No                   revision
  1.127.2.5 +9 -4      httpd-2.0/server/log.c
  
  Index: log.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/log.c,v
  retrieving revision 1.127.2.4
  retrieving revision 1.127.2.5
  diff -u -u -r1.127.2.4 -r1.127.2.5
  --- log.c	23 Jun 2003 13:03:59 -0000	1.127.2.4
  +++ log.c	14 Dec 2003 17:32:04 -0000	1.127.2.5
  @@ -401,7 +401,7 @@
                              const request_rec *r, apr_pool_t *pool,
                              const char *fmt, va_list args)
   {
  -    char errstr[MAX_STRING_LEN];
  +    char errstr[MAX_STRING_LEN], scratch[MAX_STRING_LEN];
       apr_size_t len, errstrlen;
       apr_file_t *logf = NULL;
       const char *referer;
  @@ -536,12 +536,17 @@
               errstr[len] = '\0';
           }
       }
  +
       errstrlen = len;
  -    len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
  +    if (apr_vsnprintf(scratch, MAX_STRING_LEN - len, fmt, args)) {
  +        len += ap_escape_errorlog_item(errstr + len, scratch,
  +                                       MAX_STRING_LEN - len);
  +    }
   
  -    if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
  +    if (   r && (referer = apr_table_get(r->headers_in, "Referer"))
  +        && ap_escape_errorlog_item(scratch, referer, MAX_STRING_LEN - len)) {
           len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
  -                            ", referer: %s", referer);
  +                            ", referer: %s", scratch);
       }
   
       /* NULL if we are logging to syslog */
  
  
  
  1.133.2.7 +64 -0     httpd-2.0/server/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/util.c,v
  retrieving revision 1.133.2.6
  retrieving revision 1.133.2.7
  diff -u -u -r1.133.2.6 -r1.133.2.7
  --- util.c	17 Jun 2003 17:39:10 -0000	1.133.2.6
  +++ util.c	14 Dec 2003 17:32:04 -0000	1.133.2.7
  @@ -1837,6 +1837,70 @@
       return ret;
   }
   
  +AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
  +                                               apr_size_t buflen)
  +{
  +    unsigned char *d, *ep;
  +    const unsigned char *s;
  +
  +    if (!source || !buflen) { /* be safe */
  +        return 0;
  +    }
  +
  +    d = (unsigned char *)dest;
  +    s = (const unsigned char *)source;
  +    ep = d + buflen - 1;
  +
  +    for (; d < ep && *s; ++s) {
  +
  +        if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {
  +            *d++ = '\\';
  +            if (d >= ep) {
  +                --d;
  +                break;
  +            }
  +
  +            switch(*s) {
  +            case '\b':
  +                *d++ = 'b';
  +                break;
  +            case '\n':
  +                *d++ = 'n';
  +                break;
  +            case '\r':
  +                *d++ = 'r';
  +                break;
  +            case '\t':
  +                *d++ = 't';
  +                break;
  +            case '\v':
  +                *d++ = 'v';
  +                break;
  +            case '\\':
  +                *d++ = *s;
  +                break;
  +            case '"': /* no need for this in error log */
  +                d[-1] = *s;
  +                break;
  +            default:
  +                if (d >= ep - 2) {
  +                    ep = --d; /* break the for loop as well */
  +                    break;
  +                }
  +                c2x(*s, d);
  +                *d = 'x';
  +                d += 3;
  +            }
  +        }
  +        else {
  +            *d++ = *s;
  +        }
  +    }
  +    *d = '\0';
  +
  +    return (d - (unsigned char *)dest);
  +}
  +
   AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path)
   {
       apr_finfo_t finfo;
  
  
  

Mime
View raw message