httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pque...@apache.org
Subject svn commit: r966348 - in /httpd/httpd/trunk: CHANGES include/httpd.h modules/cache/cache_storage.c modules/dav/main/util.c modules/session/mod_session.c
Date Wed, 21 Jul 2010 18:25:01 GMT
Author: pquerna
Date: Wed Jul 21 18:25:01 2010
New Revision: 966348

URL: http://svn.apache.org/viewvc?rev=966348&view=rev
Log:
CVE-2010-1452: Fix handling of missing path segments in the parsed URI structure.

If a specially crafted request was sent, it is possible to crash mod_dav, 
mod_cache or mod_session, as they accessed a field that is set to NULL
by the URI parser, assuming that it always put in a valid string.

PR: 49246
Submitted by: Mark Drayton
Patch by: Jeff Trawick

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/include/httpd.h
    httpd/httpd/trunk/modules/cache/cache_storage.c
    httpd/httpd/trunk/modules/dav/main/util.c
    httpd/httpd/trunk/modules/session/mod_session.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=966348&r1=966347&r2=966348&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Jul 21 18:25:01 2010
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.3.7
 
+  *) SECURITY: CVE-2010-1452 (cve.mitre.org)
+     mod_dav, mod_cache, mod_session: Fix Handling of requests without a path 
+     segment. PR: 49246 [Mark Drayton, Jeff Trawick]
+
   *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
      mod_authz_core to bypass authentication if access should be allowed by
      IP address/env var/... [Stefan Fritsch]

Modified: httpd/httpd/trunk/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?rev=966348&r1=966347&r2=966348&view=diff
==============================================================================
--- httpd/httpd/trunk/include/httpd.h (original)
+++ httpd/httpd/trunk/include/httpd.h Wed Jul 21 18:25:01 2010
@@ -922,7 +922,7 @@ struct request_rec {
 
     /** The URI without any parsing performed */
     char *unparsed_uri;	
-    /** The path portion of the URI */
+    /** The path portion of the URI, or "/" if no path provided */
     char *uri;
     /** The filename on disk corresponding to this response */
     char *filename;

Modified: httpd/httpd/trunk/modules/cache/cache_storage.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/cache/cache_storage.c?rev=966348&r1=966347&r2=966348&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/cache/cache_storage.c (original)
+++ httpd/httpd/trunk/modules/cache/cache_storage.c Wed Jul 21 18:25:01 2010
@@ -479,7 +479,7 @@ apr_status_t cache_generate_key_default(
      * Check if we need to ignore session identifiers in the URL and do so
      * if needed.
      */
-    path = r->parsed_uri.path;
+    path = r->uri;
     querystring = r->parsed_uri.query;
     if (conf->ignore_session_id->nelts) {
         int i;
@@ -578,7 +578,7 @@ apr_status_t cache_generate_key_default(
      */
     cache->key = apr_pstrdup(r->pool, *key);
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
-                 "cache: Key for entity %s?%s is %s", r->parsed_uri.path,
+                 "cache: Key for entity %s?%s is %s", r->uri,
                  r->parsed_uri.query, *key);
 
     return APR_SUCCESS;

Modified: httpd/httpd/trunk/modules/dav/main/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?rev=966348&r1=966347&r2=966348&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/dav/main/util.c (original)
+++ httpd/httpd/trunk/modules/dav/main/util.c Wed Jul 21 18:25:01 2010
@@ -625,7 +625,8 @@ static dav_error * dav_process_if_header
 
             /* 2518 specifies this must be an absolute URI; just take the
              * relative part for later comparison against r->uri */
-            if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS) {
+            if ((rv = apr_uri_parse(r->pool, uri, &parsed_uri)) != APR_SUCCESS
+                || !parsed_uri.path) {
                 return dav_new_error(r->pool, HTTP_BAD_REQUEST,
                                      DAV_ERR_IF_TAGGED, rv,
                                      "Invalid URI in tagged If-header.");

Modified: httpd/httpd/trunk/modules/session/mod_session.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session.c?rev=966348&r1=966347&r2=966348&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/session/mod_session.c (original)
+++ httpd/httpd/trunk/modules/session/mod_session.c Wed Jul 21 18:25:01 2010
@@ -63,7 +63,7 @@ static int session_included(request_rec 
         included = 0;
         for (i = 0; !included && i < conf->includes->nelts; i++) {
             const char *include = includes[i];
-            if (strncmp(r->parsed_uri.path, include, strlen(include))) {
+            if (strncmp(r->uri, include, strlen(include))) {
                 included = 1;
             }
         }
@@ -72,7 +72,7 @@ static int session_included(request_rec 
     if (conf->excludes->nelts) {
         for (i = 0; included && i < conf->includes->nelts; i++) {
             const char *exclude = excludes[i];
-            if (strncmp(r->parsed_uri.path, exclude, strlen(exclude))) {
+            if (strncmp(r->uri, exclude, strlen(exclude))) {
                 included = 0;
             }
         }



Mime
View raw message