httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: svn commit: r563198 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
Date Mon, 06 Aug 2007 17:30:13 GMT
Umm... It's usually best to actually do this according
to normal process:

  1. Cast your vote
  2. Then promote as Accepted
  3. Then apply
  4. Then clean up.

covener@apache.org wrote:
> 
> Author: covener
> Date: Mon Aug  6 10:27:09 2007
> New Revision: 563198
> 
> URL: http://svn.apache.org/viewvc?view=rev&rev=563198
> Log:
> backport mod_proxy date parsing buffer over-read
> 
> Submitted by: Nick Kew, Davi Arnaut
> Reviewed by: niq, rpluem, covener
> 
> Modified:
>     httpd/httpd/branches/2.2.x/CHANGES
>     httpd/httpd/branches/2.2.x/STATUS
>     httpd/httpd/branches/2.2.x/modules/proxy/proxy_util.c
> 
> Modified: httpd/httpd/branches/2.2.x/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=diff&rev=563198&r1=563197&r2=563198
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Aug  6 10:27:09 2007
> @@ -1,6 +1,11 @@
>                                                          -*- coding: utf-8 -*-
>  Changes with Apache 2.2.5
>  
> +  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
> +     mod_proxy: Prevent reading past the end of a buffer when parsing
> +     date-related headers.  PR 41144.
> +     [Nick Kew, Davi Arnaut]
> +    
>    *) SECURITY: CVE-2007-1863 (cve.mitre.org)
>       mod_cache: Prevent a segmentation fault if attributes are listed in a 
>       Cache-Control header without any value. 
> 
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?view=diff&rev=563198&r1=563197&r2=563198
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Mon Aug  6 10:27:09 2007
> @@ -329,15 +329,6 @@
>        2.2.x: trunk will work once PR: 23287 patch is applied.
>        +1: niq
>  
> -    * mod_proxy: fix buffer overread in date parsing
> -      PR: 41144
> -      CVE-2007-3847
> -      Trunk: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/proxy_util.c?r1=550514&r2=562069
> -      2.2.x: http://people.apache.org/~niq/proxy-util-22x.patch
> -      +1: niq
> -      rpluem says: Only one minor style nit: There is a tab before
> -      ap_proxy_date_canon. Otherwise +1 on the patch.
> -
>      * mod_core: Avoid that relative changes to Options change the settings for
>        FileETag. This does NOT address the remaining issues with relative
>        settings and FileETag mentioned in PR 42027, but at least it isolates the
> 
> Modified: httpd/httpd/branches/2.2.x/modules/proxy/proxy_util.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/proxy_util.c?view=diff&rev=563198&r1=563197&r2=563198
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/modules/proxy/proxy_util.c (original)
> +++ httpd/httpd/branches/2.2.x/modules/proxy/proxy_util.c Mon Aug  6 10:27:09 2007
> @@ -280,70 +280,28 @@
>      return NULL;
>  }
>  
> -static const char * const lwday[7] =
> -{"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"};
> -
>  /*
>   * If the date is a valid RFC 850 date or asctime() date, then it
> - * is converted to the RFC 1123 format, otherwise it is not modified.
> - * This routine is not very fast at doing conversions, as it uses
> - * sscanf and sprintf. However, if the date is already correctly
> - * formatted, then it exits very quickly.
> + * is converted to the RFC 1123 format.
>   */
>  PROXY_DECLARE(const char *)
> -     ap_proxy_date_canon(apr_pool_t *p, const char *x1)
> +     ap_proxy_date_canon(apr_pool_t *p, const char *date)
>  {
> -    char *x = apr_pstrdup(p, x1);
> -    int wk, mday, year, hour, min, sec, mon;
> -    char *q, month[4], zone[4], week[4];
> +    apr_status_t rv;
> +    char* ndate;
>  
> -    q = strchr(x, ',');
> -    /* check for RFC 850 date */
> -    if (q != NULL && q - x > 3 && q[1] == ' ') {
> -    *q = '\0';
> -    for (wk = 0; wk < 7; wk++)
> -        if (strcmp(x, lwday[wk]) == 0)
> -        break;
> -    *q = ',';
> -    if (wk == 7)
> -        return x;       /* not a valid date */
> -    if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
> -        q[17] != ':' || strcmp(&q[20], " GMT") != 0)
> -        return x;
> -    if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
> -           &hour, &min, &sec, zone) != 7)
> -        return x;
> -    if (year < 70)
> -        year += 2000;
> -    else
> -        year += 1900;
> -    }
> -    else {
> -/* check for acstime() date */
> -    if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
> -        x[16] != ':' || x[19] != ' ' || x[24] != '\0')
> -        return x;
> -    if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,
> -           &min, &sec, &year) != 7)
> -        return x;
> -    for (wk = 0; wk < 7; wk++)
> -        if (strcmp(week, apr_day_snames[wk]) == 0)
> -        break;
> -    if (wk == 7)
> -        return x;
> +    apr_time_t time = apr_date_parse_http(date);
> +    if (!time) {
> +        return date;
>      }
>  
> -/* check date */
> -    for (mon = 0; mon < 12; mon++)
> -    if (strcmp(month, apr_month_snames[mon]) == 0)
> -        break;
> -    if (mon == 12)
> -    return x;
> +    ndate = apr_palloc(p, APR_RFC822_DATE_LEN);
> +    rv = apr_rfc822_date(ndate, time);
> +    if (rv != APR_SUCCESS) {
> +        return date;
> +    }
>  
> -    q = apr_palloc(p, 30);
> -    apr_snprintf(q, 30, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", apr_day_snames[wk],
> -       mday, apr_month_snames[mon], year, hour, min, sec);
> -    return q;
> +    return ndate;
>  }
>  
>  PROXY_DECLARE(request_rec *)ap_proxy_make_fake_req(conn_rec *c, request_rec *r)
> 
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
	    "If you can dodge a wrench, you can dodge a ball."

Mime
View raw message