Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B1425CE7E for ; Fri, 21 Jun 2013 18:44:45 +0000 (UTC) Received: (qmail 73285 invoked by uid 500); 21 Jun 2013 18:44:45 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 73104 invoked by uid 500); 21 Jun 2013 18:44:44 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 73096 invoked by uid 99); 21 Jun 2013 18:44:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jun 2013 18:44:44 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [173.201.192.110] (HELO p3plsmtpa06-09.prod.phx3.secureserver.net) (173.201.192.110) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jun 2013 18:44:38 +0000 Received: from hub ([76.252.112.72]) by p3plsmtpa06-09.prod.phx3.secureserver.net with id r6jv1l0011Zmh9Y016jwcR; Fri, 21 Jun 2013 11:43:57 -0700 Date: Fri, 21 Jun 2013 13:43:53 -0500 From: "William A. Rowe Jr." To: dev@httpd.apache.org Cc: trawick@gmail.com Subject: Re: [PATCH] ap_pregsub_ex and somewhat-limited ap_pregsub() to 2.2.x branch Message-ID: <20130621134353.36327d3b@hub> In-Reply-To: References: X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.13; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Fri, 21 Jun 2013 13:19:36 -0400 Jeff Trawick wrote: > Even with the CVE-2011-3607 it is still possible to DOS the server by > consuming huge amounts of memory with mod_setenvif using a specially > crafted configuration. > > Here's a backport of an existing fix in 2.4.x which resolves the > issue I reproduced. Note that unlike in 2.4.x we need ap_pregsub to > handle somewhat arbitrary string lengths. I picked 64MB, which can > be overridden at compile time. > > http://people.apache.org/~trawick/ap_pregsub_ex_22x.txt > > This is essentially a grab of ap_pregsub/ap_pregsub_ex from 2.4.x > HEAD with the minimal required changes plus > http://svn.apache.org/viewvc?view=revision&revision=1198966 > > See the XXX notes in the patch for apparent semantic changes which I > probably need to back out. (I haven't researched that yet.) > > Normally we use STATUS to track this but I don't think it is as > polished as we normally expect. Still to do (tomorrow?): Investigate > the XXX's, run the regression suite. > > Concerns with the patch? > > Interested in any of this in the final 2.0.x release? I am happy to hold up a short while to adopt this patch. I'm neutral on adding it to 2.0.x but will certainly pause for it to be committed if others agree and will review the 2.0.x backport.