httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Dumpleton <grah...@apache.org>
Subject Re: Re: Re: CVE-2013-5704 fix breaks mod_wsgi
Date Tue, 13 Jan 2015 22:33:15 GMT
On 14 January 2015 at 09:10, <wrowe@rowe-clan.net> wrote:

>
>
>
> --------- Original Message ---------
> Subject: Re: Re: CVE-2013-5704 fix breaks mod_wsgi
> From: "Graham Dumpleton" <grahamd@apache.org>
> Date: 1/12/15 11:34 pm
> To: "dev@httpd.apache.org" <dev@httpd.apache.org>
>
> > But the damage has been done for some months on 2.2, and we are noticing
> this, now?
>  All distros still shipping Apache 2.2 still are using older mod_wsgi 3.X
> versions
>
>
> Makes sense...
>
>    which I don't at this point believe are affected by this issue.
>
>  And why not?
>
> https://github.com/GrahamDumpleton/mod_wsgi/blob/stable/3.X/mod_wsgi.c
>
> /* Create and populate our own request object. */
>     apr_pool_create(&p, c->pool);
> r = apr_pcalloc(p, sizeof(request_rec));
>
>

Because the code which is doing this is not running inside of the normal
Apache child worker processes but a separate managed process that mod_wsgi
creates just to run the WSGI application.

In that separate process things are much more controlled and arbitrary
Apache modules don't run stuff.

The only parts of the Apache code base that touch the new structure members
that I can find are the HTTP input filter, the proxy modules, sub requests
and logging.

In this separate managed processes the proxy modules are never use nor are
sub requests. The log functions which use the new structure members are
also not triggered as that only occurs in the Apache child worker processes.

The HTTP input filter is used, but due to the specific way that mod_wsgi
transfers data from the Apache child process to the separate managed
process, that request content is never chunked. As a consequence
the read_chunked_trailers() function which updates the structure members is
never called.

So although the request_rec size is going to be wrong, nothing ever
attempts to read or write past the short memory which is created in the
case of mod_wsgi <4.4.0 and so old versions aren't crashing when tested.

I agree this isn't ideal and users should update in case some other change
is made to Apache down the track which may change this, but right now it at
least means those older versions will not crash as mod_wsgi 4.4.0+ is.

FWIW, version 4.4.0 was only released November 28th 2014 and so not many
are actually likely using it.

Graham

Mime
View raw message