httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r1392050 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS server/protocol.c
Date Sun, 30 Sep 2012 15:50:21 GMT
Author: jim
Date: Sun Sep 30 15:50:21 2012
New Revision: 1392050

URL: http://svn.apache.org/viewvc?rev=1392050&view=rev
Log:
  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
       Fix an issue in error responses that could expose "httpOnly" cookies
            when no custom ErrorDocument is specified for status code 400.
                 [Eric Covener]

                      r1234837 on 2.0.x:
                             http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
                                  +1: trawick, rjung, jim


Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/server/protocol.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Sun Sep 30 15:50:21 2012
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.65
 
+  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+     Fix an issue in error responses that could expose "httpOnly" cookies
+     when no custom ErrorDocument is specified for status code 400.
+     [Eric Covener]
+
   *) SECURITY: CVE-2012-0031 (cve.mitre.org)
      Fix scoreboard issue which could allow an unprivileged child process 
      could cause the parent to crash at shutdown rather than terminate 

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Sun Sep 30 15:50:21 2012
@@ -171,14 +171,6 @@ RELEASE SHOWSTOPPERS:
         http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch
        +1: trawick
 
-  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
-     Fix an issue in error responses that could expose "httpOnly" cookies
-     when no custom ErrorDocument is specified for status code 400.
-     [Eric Covener]
-
-     r1234837 on 2.0.x:
-       http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
-     +1: trawick, rjung
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

Modified: httpd/httpd/branches/2.0.x/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/protocol.c?rev=1392050&r1=1392049&r2=1392050&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
+++ httpd/httpd/branches/2.0.x/server/protocol.c Sun Sep 30 15:50:21 2012
@@ -677,6 +677,16 @@ static int read_request_line(request_rec
     return 1;
 }
 
+/* get the length of the field name for logging, but no more than 80 bytes */
+#define LOG_NAME_MAX_LEN 80
+static int field_name_len(const char *field)
+{
+    const char *end = ap_strchr_c(field, ':');
+    if (end == NULL || end - field > LOG_NAME_MAX_LEN)
+        return LOG_NAME_MAX_LEN;
+    return end - field;
+}
+
 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
 {
     char *last_field = NULL;
@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_cor
             /* insure ap_escape_html will terminate correctly */
             field[len - 1] = '\0';
             apr_table_setn(r->notes, "error-notes",
-                           apr_pstrcat(r->pool,
+                           apr_psprintf(r->pool,
                                        "Size of a request header field "
                                        "exceeds server limit.<br />\n"
-                                       "<pre>\n",
-                                       ap_escape_html(r->pool, field),
-                                       "</pre>\n", NULL));
+                                        "<pre>\n%.*s\n</pre>/n",
+                                        field_name_len(field), 
+                                        ap_escape_html(r->pool, field)));
+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
+                          "Request header exceeds LimitRequestFieldSize: "
+                          "%.*s", field_name_len(field), field);
             return;
         }
 
@@ -739,13 +752,17 @@ AP_DECLARE(void) ap_get_mime_headers_cor
                      * overflow (last_field) as the field with the problem
                      */
                     apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                "Size of a request header field " 
                                                "after folding "
                                                "exceeds server limit.<br />\n"
-                                               "<pre>\n",
-                                               ap_escape_html(r->pool, last_field),
-                                               "</pre>\n", NULL));
+                                                "<pre>\n%.*s\n</pre>\n",
+                                                field_name_len(last_field),
+                                                ap_escape_html(r->pool, last_field)));
+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                                  "Request header exceeds LimitRequestFieldSize "
+                                  "after folding: %.*s",
+                                  field_name_len(last_field), last_field);
                     return;
                 }
 
@@ -777,13 +794,17 @@ AP_DECLARE(void) ap_get_mime_headers_cor
                 if (!(value = strchr(last_field, ':'))) { /* Find ':' or    */
                     r->status = HTTP_BAD_REQUEST;      /* abort bad request */
                     apr_table_setn(r->notes, "error-notes",
-                                   apr_pstrcat(r->pool,
+                                   apr_psprintf(r->pool,
                                                "Request header field is "
                                                "missing ':' separator.<br />\n"
-                                               "<pre>\n",
-                                               ap_escape_html(r->pool,
-                                                              last_field),
-                                               "</pre>\n", NULL));
+                                                "<pre>\n%.*s</pre>\n",
+                                                (int)LOG_NAME_MAX_LEN,
+                                                ap_escape_html(r->pool,
+                                                               last_field)));
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                                  "Request header field is missing ':' "
+                                  "separator: %.*s", (int)LOG_NAME_MAX_LEN,
+                                  last_field);
                     return;
                 }
                 



Mime
View raw message