Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 247458DA2 for ; Thu, 1 Sep 2011 14:31:29 +0000 (UTC) Received: (qmail 40454 invoked by uid 500); 1 Sep 2011 14:31:28 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 40394 invoked by uid 500); 1 Sep 2011 14:31:27 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 40386 invoked by uid 99); 1 Sep 2011 14:31:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2011 14:31:27 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [80.229.52.226] (HELO baldur) (80.229.52.226) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2011 14:31:22 +0000 Received: from baldur (localhost [127.0.0.1]) by baldur (Postfix) with ESMTP id 7AFD8C18D714 for ; Thu, 1 Sep 2011 15:31:00 +0100 (BST) Date: Thu, 1 Sep 2011 15:30:57 +0100 From: Nick Kew To: dev@httpd.apache.org Subject: Re: CVE-2003-1418 - still affects apache 2 current Message-ID: <20110901153057.7b866160@baldur> In-Reply-To: <20110901123911.GE13838@suse.de> References: <20110901123911.GE13838@suse.de> X-Mailer: Claws Mail 3.7.4 (GTK+ 2.20.1; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/PxG2i9sUVzfxLcZYGmNlTfu" --MP_/PxG2i9sUVzfxLcZYGmNlTfu Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Thu, 1 Sep 2011 14:39:11 +0200 Marcus Meissner wrote: > Hi, > > CVE-2003-1418, a minor security issue, is still affecting the current codebase. > > someone opened a tracker bug a year ago without feedback: > https://issues.apache.org/bugzilla/show_bug.cgi?id=49623 I've just hacked up a simple candidate patch. Review? (trunk patch - trivial offset when applied to 2.2.x) -- Nick Kew --MP_/PxG2i9sUVzfxLcZYGmNlTfu Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=patch.txt Index: modules/http/http_etag.c =================================================================== --- modules/http/http_etag.c (revision 1164053) +++ modules/http/http_etag.c (working copy) @@ -26,6 +26,7 @@ #include "http_core.h" #include "http_protocol.h" /* For index_of_response(). Grump. */ #include "http_request.h" +#include "util_md5.h" /* Generate the human-readable hex representation of an apr_uint64_t * (basically a faster version of 'sprintf("%llx")') @@ -50,6 +51,13 @@ *next++ = HEX_DIGITS[u & (apr_uint64_t)0xf]; return next; } +static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool) +{ + char *digest = ap_md5_binary(pool, (unsigned char*)&u, sizeof(u)); + int len = strlen(digest); + memcpy(next, digest, len); + return next+len; +} #define ETAG_WEAK "W/" #define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2) @@ -114,7 +122,7 @@ * FileETag keywords. */ etag = apr_palloc(r->pool, weak_len + sizeof("\"--\"") + - 3 * CHARS_PER_UINT64 + 1); + 2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1); next = etag; if (weak) { while (*weak) { @@ -124,7 +132,7 @@ *next++ = '"'; bits_added = 0; if (etag_bits & ETAG_INODE) { - next = etag_uint64_to_hex(next, r->finfo.inode); + next = etag_uint64_to_md5(next, r->finfo.inode, r->pool); bits_added |= ETAG_INODE; } if (etag_bits & ETAG_SIZE) { --MP_/PxG2i9sUVzfxLcZYGmNlTfu--