httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [patch 2.0] http body request/response/trace conformance
Date Fri, 15 Jul 2005 19:42:10 GMT
At 03:03 PM 7/14/2005, William A. Rowe, Jr. wrote:
>To simplify - Jeff Joe and I reviewed two of the patches, and they
>are committed.  Two patches are available for comment;


  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
     remains 'TraceEnable on'.  [William Rowe]


and changelog;

  *) SECURITY: CAN-2005-2088
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever 
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]

The newest flavor based on my most recent commits from Roy and Jeff's
feedback is available at;

and 2.0 STATUS is updated accordingly.  Votes/Comments please?

>Although proxy-request.patch will evolve as this discussion
>continues; Jeff caused me to look, again, at the code and
>recognize another edge case already committed to trunk 
>(and also in the patch.)  proxy-request.patch will ultimately
>mirror what we agree to on trunk.
>And FYI, revert r219061 (below) from 2.1 or 2.0 to see the
>continued misbehavior of proxy without the proxy-request.patch.
>--- httpd/httpd/branches/2.0.x/server/protocol.c (original)
>+++ httpd/httpd/branches/2.0.x/server/protocol.c Thu Jul 14 09:51:55 2005
>@@ -885,6 +885,15 @@
>             apr_brigade_destroy(tmp_bb);
>             return r;
>         }
>+        if (apr_table_get(r->headers_in, "Transfer-Encoding")
>+            && apr_table_get(r->headers_in, "Content-Length")) {
>+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
>+             * and Content-Length are received, the latter MUST be
>+             * ignored"; so unset it here to prevent any confusion
>+             * later. */
>+            apr_table_unset(r->headers_in, "Content-Length");
>+        }
>     }
>     else {
>         if (r->header_only) {

View raw message