Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 38779 invoked from network); 1 Aug 2007 00:58:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Aug 2007 00:58:43 -0000 Received: (qmail 32595 invoked by uid 500); 1 Aug 2007 00:58:42 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 32548 invoked by uid 500); 1 Aug 2007 00:58:42 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 32528 invoked by uid 99); 1 Aug 2007 00:58:42 -0000 Received: from Unknown (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Jul 2007 17:58:42 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Aug 2007 00:58:41 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 9C5811A981A; Tue, 31 Jul 2007 17:58:21 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r561616 - in /httpd/httpd/trunk: CHANGES modules/proxy/proxy_util.c Date: Wed, 01 Aug 2007 00:58:21 -0000 To: cvs@httpd.apache.org From: niq@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070801005821.9C5811A981A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: niq Date: Tue Jul 31 17:58:20 2007 New Revision: 561616 URL: http://svn.apache.org/viewvc?view=rev&rev=561616 Log: Fix buffer overflow in date handling PR 41144 (Davi Arnaut) Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/modules/proxy/proxy_util.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?view=diff&rev=561616&r1=561615&r2=561616 ============================================================================== --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Tue Jul 31 17:58:20 2007 @@ -2,6 +2,9 @@ Changes with Apache 2.3.0 [Remove entries to the current 2.0 and 2.2 section below, when backported] + *) mod_proxy: fix buffer overflow issue + PR 41144 [Davi Arnaut, Nick Kew] + *) mod_deflate: fix protocol handling in deflate input filter PR 23287 [Nick Kew] Modified: httpd/httpd/trunk/modules/proxy/proxy_util.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/proxy_util.c?view=diff&rev=561616&r1=561615&r2=561616 ============================================================================== --- httpd/httpd/trunk/modules/proxy/proxy_util.c (original) +++ httpd/httpd/trunk/modules/proxy/proxy_util.c Tue Jul 31 17:58:20 2007 @@ -306,85 +306,37 @@ return NULL; } -static const char * const lwday[7] = -{"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"}; - /* * If the date is a valid RFC 850 date or asctime() date, then it - * is converted to the RFC 1123 format, otherwise it is not modified. - * This routine is not very fast at doing conversions, as it uses - * sscanf and sprintf. However, if the date is already correctly - * formatted, then it exits very quickly. + * is converted to the RFC 1123 format. */ PROXY_DECLARE(const char *) - ap_proxy_date_canon(apr_pool_t *p, const char *x1) + ap_proxy_date_canon(apr_pool_t *p, const char *date) { - char *x = apr_pstrdup(p, x1); - int wk, mday, year, hour, min, sec, mon; - char *q, month[4], zone[4], week[4]; - - q = strchr(x, ','); - /* check for RFC 850 date */ - if (q != NULL && q - x > 3 && q[1] == ' ') { - *q = '\0'; - for (wk = 0; wk < 7; wk++) { - if (strcmp(x, lwday[wk]) == 0) { - break; - } - } - *q = ','; - if (wk == 7) { - return x; /* not a valid date */ - } - if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' || - q[17] != ':' || strcmp(&q[20], " GMT") != 0) { - return x; - } - if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year, - &hour, &min, &sec, zone) != 7) { - return x; - } - if (year < 70) { - year += 2000; - } - else { - year += 1900; - } - } - else { -/* check for acstime() date */ - if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' || - x[16] != ':' || x[19] != ' ' || x[24] != '\0') { - return x; - } - if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour, - &min, &sec, &year) != 7) { - return x; - } - for (wk = 0; wk < 7; wk++) { - if (strcmp(week, apr_day_snames[wk]) == 0) { - break; - } - } - if (wk == 7) { - return x; - } + apr_status_t rv; + apr_time_exp_t tm; + apr_size_t retsize; + char* ndate; + static const char format[] = "%a, %d %b %Y %H:%M:%S GMT"; + apr_time_t time = apr_date_parse_http(date); + if (!time) { + return date; } -/* check date */ - for (mon = 0; mon < 12; mon++) { - if (strcmp(month, apr_month_snames[mon]) == 0) { - break; - } + rv = apr_time_exp_gmt(&tm, time); + + if (rv != APR_SUCCESS) { + return date; } - if (mon == 12) { - return x; + + ndate = apr_palloc(p, APR_RFC822_DATE_LEN); + rv = apr_strftime(ndate, &retsize, APR_RFC822_DATE_LEN, format, &tm); + + if (rv != APR_SUCCESS || !retsize) { + return date; } - q = apr_palloc(p, 30); - apr_snprintf(q, 30, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", apr_day_snames[wk], - mday, apr_month_snames[mon], year, hour, min, sec); - return q; + return ndate; } PROXY_DECLARE(request_rec *)ap_proxy_make_fake_req(conn_rec *c, request_rec *r)