httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r1576716 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS modules/loggers/mod_log_config.c
Date Wed, 12 Mar 2014 12:41:07 GMT
Author: rpluem
Date: Wed Mar 12 12:41:07 2014
New Revision: 1576716

URL: http://svn.apache.org/r1576716
Log:
Merge r1575400 from trunk:

CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
Segfaults w/ truncated cookie logging.

Clean up the cookie logging parser to recognize only the cookie=value pairs,
not valueless cookies.  This refactors multiple passes over the same string
buffer into a single pass parser.

Submitted by: wrowe
Reviewed by: rpluem, jim 

Reviewed by: wrowe, ylavic, jim

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1575400

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1576716&r1=1576715&r2=1576716&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Mar 12 12:41:07 2014
@@ -1,6 +1,12 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.27
 
+  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
+     Clean up cookie logging with fewer redundant string parsing passes.
+     Log only cookies with a value assignment. Prevents segfaults when
+     logging truncated cookies.
+     [William Rowe, Ruediger Pluem, Jim Jagielski]
+
   *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
      TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
 

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1576716&r1=1576715&r2=1576716&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Mar 12 12:41:07 2014
@@ -98,13 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_log_config: Clean up cookie logging with fewer redundant
-     string parsing passes.  Log only cookies with a value assignment.
-     [William Rowe, Ruediger Pluem, Jim Jagielski]
-     trunk patch: http://svn.apache.org/r1575400
-     2.4.x patch: trunk works
-     +1: wrowe, ylavic, jim
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

Modified: httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c?rev=1576716&r1=1576715&r2=1576716&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c (original)
+++ httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c Wed Mar 12 12:41:07 2014
@@ -524,14 +524,24 @@ static const char *log_cookie(request_re
 
         while ((cookie = apr_strtok(cookies, ";", &last1))) {
             char *name = apr_strtok(cookie, "=", &last2);
-            if (name) {
-                char *value = name + strlen(name) + 1;
-                apr_collapse_spaces(name, name);
+            /* last2 points to the next char following an '=' delim,
+               or the trailing NUL char of the string */
+            char *value = last2;
+            if (name && *name &&  value && *value) {
+                char *last = value - 2;
+                /* Move past leading WS */
+                name += strspn(name, " \t");
+                while (last >= name && apr_isspace(*last)) {
+                    *last = '\0';
+                    --last;
+                }
 
                 if (!strcasecmp(name, a)) {
-                    char *last;
-                    value += strspn(value, " \t");  /* Move past leading WS */
-                    last = value + strlen(value) - 1;
+                    /* last1 points to the next char following the ';' delim,
+                       or the trailing NUL char of the string */
+                    last = last1 - (*last1 ? 2 : 1);
+                    /* Move past leading WS */
+                    value += strspn(value, " \t");
                     while (last >= value && apr_isspace(*last)) {
                        *last = '\0';
                        --last;
@@ -540,6 +550,7 @@ static const char *log_cookie(request_re
                     return ap_escape_logitem(r->pool, value);
                 }
             }
+            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
             cookies = NULL;
         }
     }



Mime
View raw message