httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r230722 - /httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c
Date Mon, 08 Aug 2005 01:10:23 GMT
Author: wrowe
Date: Sun Aug  7 18:10:20 2005
New Revision: 230722

URL: http://svn.apache.org/viewcvs?rev=230722&view=rev
Log:

  Backport yet another security fix; if stream_cl exceeds the 'stated' 
  CL which proxy_request_body asked us to send, then we have to quit 
  forwarding any more bytes (we won't even pass the header if we 
  hadn't yet.)

  Closes an HTTP Request splitting edge case.

Modified:
    httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c

Modified: httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c?rev=230722&r1=230721&r2=230722&view=diff
==============================================================================
--- httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c (original)
+++ httpd/httpd/branches/proxy-reqbody-2.0.x/modules/proxy/proxy_http.c Sun Aug  7 18:10:20
2005
@@ -570,9 +570,13 @@
     apr_bucket_alloc_t *bucket_alloc = r->connection->bucket_alloc;
     apr_bucket_brigade *b;
     apr_bucket *e;
+    apr_off_t cl_val = 0;
+    apr_off_t bytes;
+    apr_off_t bytes_streamed = 0;
 
     if (old_cl_val) {
         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
+        cl_val = atol(old_cl_val);
     }
     terminate_headers(bucket_alloc, header_brigade);
 
@@ -585,6 +589,9 @@
             return status;
         }
 
+        apr_brigade_length(input_brigade, 1, &bytes);
+        bytes_streamed += bytes;
+
         /* If this brigade contains EOS, either stop or remove it. */
         if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(input_brigade))) {
             seen_eos = 1;
@@ -601,6 +608,18 @@
             apr_bucket_delete(e);
         }
 
+        /* C-L < bytes streamed?!?
+         * We will error out after the body is completely
+         * consumed, but we can't stream more bytes at the
+         * back end since they would in part be interpreted
+         * as another request!  If nothing is sent, then
+         * just send nothing.
+         *
+         * Prevents HTTP Response Splitting.
+         */
+        if (bytes_streamed > cl_val)
+             continue;
+
         if (header_brigade) {
             /* we never sent the header brigade, so go ahead and
              * take care of that now
@@ -618,6 +637,13 @@
             return status;
         }
     } while (!seen_eos);
+
+    if (bytes_streamed != cl_val) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                     "proxy: client %s given Content-Length did not match"
+                     " number of body bytes read", r->connection->remote_ip);
+        return APR_EOF;
+    }
 
     if (header_brigade) {
         /* we never sent the header brigade since there was no request



Mime
View raw message