httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r1792169 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/httpd.h modules/generators/mod_status.c modules/proxy/mod_proxy.c server/config.c server/util.c
Date Fri, 21 Apr 2017 08:44:06 GMT
Author: niq
Date: Fri Apr 21 08:44:06 2017
New Revision: 1792169

URL: http://svn.apache.org/viewvc?rev=1792169&view=rev
Log:
Introduce request taint-checking concept.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/include/httpd.h
    httpd/httpd/trunk/modules/generators/mod_status.c
    httpd/httpd/trunk/modules/proxy/mod_proxy.c
    httpd/httpd/trunk/server/config.c
    httpd/httpd/trunk/server/util.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Apr 21 08:44:06 2017
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) Introduce request taint checking framework to prevent privilege
+     hijacking through .htaccess. [Nick Kew]
+
   *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
      protocols.  [Jean-Frederic Clere]
 

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Fri Apr 21 08:44:06 2017
@@ -551,6 +551,7 @@
  *                         Added ap_scan_vchar_obstext()
  * 20161018.2 (2.5.0-dev)  add ap_set_conn_count()
  * 20161018.3 (2.5.0-dev)  add ap_exists_directive()
+ * 20161018.4 (2.5.0-dev)  Add taint to request_rec and ap_request_tainted()
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -558,7 +559,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20161018
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 3                 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 4                 /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/trunk/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/include/httpd.h (original)
+++ httpd/httpd/trunk/include/httpd.h Fri Apr 21 08:44:06 2017
@@ -1074,6 +1074,11 @@ struct request_rec {
      *  TODO: 2 bit signed bitfield when this structure is compacted
      */
     int double_reverse;
+    /** Mark the request as potentially tainted.  This might become a
+     *  bitfield if we identify different taints to be flagged.
+     *  Always use ap_request_tainted() to check taint.
+     */
+    int taint;
 };
 
 /**
@@ -2153,6 +2158,17 @@ AP_DECLARE(apr_status_t) ap_timeout_para
  */
 AP_DECLARE(int) ap_request_has_body(request_rec *r);
 
+/** Request taint flags.  Only .htaccess defined. */
+#define AP_TAINT_HTACCESS 0x1
+/**
+ * Check whether a request is tainted by potentially-untrusted sources.
+ *
+ * @param r     the request
+ * @param flags Taint flags to check
+ * @return truth value
+ */
+AP_DECLARE(int) ap_request_tainted(request_rec *r, int flags);
+
 /**
  * Cleanup a string (mainly to be filesystem safe)
  * We only allow '_' and alphanumeric chars. Non-printable

Modified: httpd/httpd/trunk/modules/generators/mod_status.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/generators/mod_status.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_status.c Fri Apr 21 08:44:06 2017
@@ -213,6 +213,13 @@ static int status_handler(request_rec *r
         return DECLINED;
     }
 
+    /* A request that has passed through .htaccess has no business
+     * landing up here.
+     */
+    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
+        return DECLINED;
+    }
+
 #ifdef HAVE_TIMES
     times_per_thread = getpid() != child_pid;
 #endif

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy.c?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/proxy/mod_proxy.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy.c Fri Apr 21 08:44:06 2017
@@ -932,6 +932,14 @@ static int proxy_fixup(request_rec *r)
     if (!r->proxyreq || !r->filename || strncmp(r->filename, "proxy:", 6) != 0)
         return DECLINED;
 
+    /* A request that has passed through .htaccess has no business
+     * serving contents from so far outside its directory.
+     * Since we're going to decline it, don't waste time here.
+     */
+    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
+        return DECLINED;
+    }
+
     /* XXX: Shouldn't we try this before we run the proxy_walk? */
     url = &r->filename[6];
 
@@ -1025,6 +1033,13 @@ static int proxy_handler(request_rec *r)
         return DECLINED;
     }
 
+    /* A request that has passed through .htaccess has no business
+     * serving contents from so far outside its directory.
+     */
+    if (ap_request_tainted(r, AP_TAINT_HTACCESS)) {
+        return DECLINED;
+    }
+
     if (!r->proxyreq) {
         /* We may have forced the proxy handler via config or .htaccess */
         if (r->handler &&

Modified: httpd/httpd/trunk/server/config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/config.c?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/server/config.c (original)
+++ httpd/httpd/trunk/server/config.c Fri Apr 21 08:44:06 2017
@@ -2196,6 +2196,8 @@ AP_CORE_DECLARE(int) ap_parse_htaccess(a
             const char *errmsg;
             ap_directive_t *temptree = NULL;
 
+            /* Mark the request as tainted by .htaccess */
+            r->taint |= AP_TAINT_HTACCESS;
             dc = ap_create_per_dir_config(r->pool);
 
             parms.config_file = f;

Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1792169&r1=1792168&r2=1792169&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Fri Apr 21 08:44:06 2017
@@ -2580,6 +2580,21 @@ AP_DECLARE(int) ap_request_has_body(requ
     return has_body;
 }
 
+/**
+ * Check whether a request is tainted by exposure to something
+ * potentially untrusted.  
+ *
+ */
+AP_DECLARE(int) ap_request_tainted(request_rec *r, int flags)
+{
+    /** Potential future: a hook or callback here could serve modules
+     *  like mod_security and ironbee with more complex needs.
+     */
+    return r && ((r->taint&flags)
+                 || ap_request_tainted(r->main, flags)
+                 || ap_request_tainted(r->prev, flags));
+}
+
 AP_DECLARE_NONSTD(apr_status_t) ap_pool_cleanup_set_null(void *data_)
 {
     void **ptr = (void **)data_;



Mime
View raw message