httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: Re: CVE-2013-5704 fix breaks mod_wsgi
Date Mon, 12 Jan 2015 17:12:16 GMT
--------- Original Message --------- Subject: Re: CVE-2013-5704 fix breaks mod_wsgi
From: "Joe Orton" <>
Date: 1/12/15 5:27 am
To: "Graham Dumpleton" <>
Cc: "" <>

On Sat, Jan 10, 2015 at 09:04:12AM +1100, Graham Dumpleton wrote:
 > 1. Verify that recompiling mod_wsgi is actually sufficient given than my
 > direct use of request_rec isn't going to populate the extra fields and they
 > will remain NULL still. As trailers shouldn't be expected in context the
 > request_rec is being used directly by mod_wsgi those attributes shouldn't
 > be touched, but if that is the case, why would it be crashing without
 > recompilation happening. So need to also actually verify whether it can't
 > limp on as is for now if it isn't crashing.

 Yup, I should have mentioned that too. You are right, we had to pach 
 mod_wsgi to fix the issue properly as well:

 that can/should be surrounded with

 #if AP_MODULE_MAGIC_AT_LEAST(20120211, 37)
 #endif make it conditional on an httpd with those fields. (Hadn't 
 submitted that back upstream yet sorry - we wanted to find a "proper" 
 solution httpd-side for this.)
 Exactly.  These fixes are already in for httpd's mod_ftp svn.  I had also missed this while
building that module and hadn't put it through its paces, as we were preparing 2.2.
The proper solution is to never let the module create a structure such as request_req.  This
would normally be accomplished by semi-opaque/incomplete data types, which weren't portably
possible in '00 but might be realistic today.
Whether we expose a complete or incomplete datatype - that solution is to expose the object's
allocator/initializer.  OO programming topic 101.

View raw message