httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject CVE-2013-5704, mod_headers and chunked trailer fields
Date Tue, 01 Apr 2014 14:37:39 GMT
For context: http://martin.swende.se/blog/HTTPChunked.html

This was discussed a little on the security@ list last year but it's a 
difficult issue and there was not any consensus beyond the fact that the 
current behaviour is wrong, and "punt to dev@".  There is a separate 
thread about how to fix this, which Eric just re-started, but it would 
be good to discuss/find consensus on the security impact.

The API for handling trailer fields is unspecified, which is really why 
this bug exists; modules don't really expect those trailers to get 
merged into r->headers_in at a "surprising" time during request 
processing.

I'd argue that gateway modules can/should handle this case correctly, 
regardless of the httpd API; hence this is not a security issue in httpd 
as such.  For example, with mod_proxy acting as a reverse proxy, no 
headers can get "accidentally" passed through, since mod_proxy captures 
the request headers before processing the request body.

Regards, Joe

Mime
View raw message