httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r917234 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/protocol.c
Date Sun, 28 Feb 2010 18:15:43 GMT
Author: wrowe
Date: Sun Feb 28 18:15:42 2010
New Revision: 917234

URL: http://svn.apache.org/viewvc?rev=917234&view=rev
Log:
This is an information revealing flaw under worker MPM.  discuss

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/server/protocol.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=917234&r1=917233&r2=917234&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sun Feb 28 18:15:42 2010
@@ -1,6 +1,11 @@
-                                                         -*- coding: utf-8 -*-
+                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.15
 
+  *) Ensure each subrequest has a shallow copy of headers_in so that the
+     parent request headers are not corrupted.  Elimiates a problematic
+     optimization in the case of no request body.  PR 48359
+     [Jake Scott, William Rowe, Ruediger Pluem]
+
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
      A partial fix for the TLS renegotiation prefix injection attack by
      rejecting any client-initiated renegotiations. Forcibly disable keepalive

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=917234&r1=917233&r2=917234&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Sun Feb 28 18:15:42 2010
@@ -83,6 +83,23 @@
 
 RELEASE SHOWSTOPPERS:
 
+  * Ensure each subrequest has a shallow copy of headers_in so that the
+    parent request headers are not corrupted.  Eliminates a problematic
+    optimization in the case of no request body.  PR 48359 
+    [Jake Scott, William Rowe, Ruediger Pluem]
+    Link to discussion thread;
+      https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
+    Applied to trunk;
+      http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=901578&r2=901577
+    Ported to 2.2 (also attached to PR);
+      http://people.apache.org/~wrowe/protocol_headers_copy.patch
+    +1: wrowe
+    -1: niq: this risks breaking existing apps, as discussed in
+             comments on PR 48359.
+             [wrowe notes; incorrect and invalid objection, also as
+              identified in the comments.  Legitimate API users are
+              presently broken by this memory scope flaw.]
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
@@ -101,23 +118,6 @@
    sf:        Couldn't the linux 2.4 bug be worked around by calling access
               twice? Once with R_OK and once with X_OK.
 
-  * Ensure each subrequest has a shallow copy of headers_in so that the
-    parent request headers are not corrupted.  Eliminates a problematic
-    optimization in the case of no request body.  PR 48359 
-    [Jake Scott, William Rowe, Ruediger Pluem]
-    Link to discussion thread;
-      https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
-    Applied to trunk;
-      http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=901578&r2=901577
-    Ported to 2.2 (also attached to PR);
-      http://people.apache.org/~wrowe/protocol_headers_copy.patch
-    +1: wrowe
-    -1: niq: this risks breaking existing apps, as discussed in
-             comments on PR 48359.
-             [wrowe notes; incorrect and invalid objection, also as
-              identified in the comments.  Legitimate API users are
-              presently broken by this memory scope flaw.]
-
   * core: Support wildcards in both the directory and file components of
     the path specified by the Include directive.
     Trunk patch: http://svn.apache.org/viewvc?rev=909878&view=rev

Modified: httpd/httpd/branches/2.2.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/protocol.c?rev=917234&r1=917233&r2=917234&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.2.x/server/protocol.c Sun Feb 28 18:15:42 2010
@@ -1041,15 +1041,13 @@
     return r;
 }
 
-/* if a request with a body creates a subrequest, clone the original request's
- * input headers minus any headers pertaining to the body which has already
- * been read.  out-of-line helper function for ap_set_sub_req_protocol.
+/* if a request with a body creates a subrequest, remove original request's
+ * input headers which pertain to the body which has already been read.
+ * out-of-line helper function for ap_set_sub_req_protocol.
  */
 
-static void clone_headers_no_body(request_rec *rnew,
-                                  const request_rec *r)
+static void strip_headers_request_body(request_rec *rnew)
 {
-    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
     apr_table_unset(rnew->headers_in, "Content-Encoding");
     apr_table_unset(rnew->headers_in, "Content-Language");
     apr_table_unset(rnew->headers_in, "Content-Length");
@@ -1083,15 +1081,14 @@
 
     rnew->status          = HTTP_OK;
 
+    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
+
     /* did the original request have a body?  (e.g. POST w/SSI tags)
      * if so, make sure the subrequest doesn't inherit body headers
      */
     if (apr_table_get(r->headers_in, "Content-Length")
         || apr_table_get(r->headers_in, "Transfer-Encoding")) {
-        clone_headers_no_body(rnew, r);
-    } else {
-        /* no body (common case).  clone headers the cheap way */
-        rnew->headers_in      = r->headers_in;
+        strip_headers_request_body(rnew, r);
     }
     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
     rnew->headers_out     = apr_table_make(rnew->pool, 5);



Mime
View raw message