httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject svn commit: r371643 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/ssl/ssl_engine_kernel.c
Date Mon, 23 Jan 2006 19:57:24 GMT
Author: colm
Date: Mon Jan 23 11:57:18 2006
New Revision: 371643

URL: http://svn.apache.org/viewcvs?rev=371643&view=rev
Log:
Merge r354394 from trunk:

    * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Omit further
      access control checks if SSL is not in use regardless of vhost
      settings.

Submitted by: rpluem, jorton

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Mon Jan 23 11:57:18 2006
@@ -1,6 +1,13 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.56
 
+  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+     mod_ssl: Fix a possible crash during access control checks if a
+     non-SSL request is processed for an SSL vhost (such as the
+     "HTTP request received on SSL port" error message when an 400
+     ErrorDocument is configured, or if using "SSLEngine optional").
+     PR 37791.  [Rüdiger Plüm, Joe Orton]
+
   *) Add ReceiveBufferSize directive to control the TCP receive buffer.
      [Eric Covener <covener gmail.com>]
 

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Mon Jan 23 11:57:18 2006
@@ -165,14 +165,6 @@
           http://issues.apache.org/bugzilla/attachment.cgi?id=16995
        +1: rpluem, colm, trawick
 
-    *) mod_ssl: Fix PR37791 (CVEID: CAN-2005-3357) (SEGV if the client is
-       connection plain to a SSL enabled port)
-       Trunk version of patch:
-          http://svn.apache.org/viewcvs.cgi?rev=354394&view=rev
-       Backport version for 2.0.x of patch:
-          http://issues.apache.org/bugzilla/attachment.cgi?id=17393
-       +1: rpluem, colm, trawick
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new

Modified: httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c?rev=371643&r1=371642&r2=371643&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.0.x/modules/ssl/ssl_engine_kernel.c Mon Jan 23 11:57:18 2006
@@ -202,11 +202,14 @@
     }
 
     /*
-     * Check to see if SSL protocol is on
+     * Check to see whether SSL is in use; if it's not, then no
+     * further access control checks are relevant.  (the test for
+     * sc->enabled is probably strictly unnecessary)
      */
-    if (!(sc->enabled || ssl)) {
+    if (!sc->enabled || !ssl) {
         return DECLINED;
     }
+
     /*
      * Support for per-directory reconfigured SSL connection parameters.
      *



Mime
View raw message