httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r1664205 - in /httpd/httpd/trunk: CHANGES server/protocol.c
Date Thu, 05 Mar 2015 08:38:16 GMT


On 03/05/2015 03:33 AM, covener@apache.org wrote:
> Author: covener
> Date: Thu Mar  5 02:33:16 2015
> New Revision: 1664205
> 
> URL: http://svn.apache.org/r1664205
> Log:
>   *) SECURITY: CVE-2015-0253 (cve.mitre.org)
>      core: Fix a crash introduced in with ErrorDocument 400 pointing
>      to a local URL-path with the INCLUDES filter active, introduced
>      in 2.4.11. PR 57531. [Yann Ylavic]
> 
> 
> Submitted By: ylavic
> Committed By: covener
> 
> 
> 
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/server/protocol.c
> 

> Modified: httpd/httpd/trunk/server/protocol.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1664205&r1=1664204&r2=1664205&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/protocol.c (original)
> +++ httpd/httpd/trunk/server/protocol.c Thu Mar  5 02:33:16 2015
> @@ -606,8 +606,6 @@ static int read_request_line(request_rec
>               */
>              if (APR_STATUS_IS_ENOSPC(rv)) {
>                  r->status    = HTTP_REQUEST_URI_TOO_LARGE;
> -                r->proto_num = HTTP_VERSION(1,0);
> -                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
>              }
>              else if (APR_STATUS_IS_TIMEUP(rv)) {
>                  r->status = HTTP_REQUEST_TIME_OUT;
> @@ -615,6 +613,8 @@ static int read_request_line(request_rec
>              else if (APR_STATUS_IS_EINVAL(rv)) {
>                  r->status = HTTP_BAD_REQUEST;
>              }
> +            r->proto_num = HTTP_VERSION(1,0);
> +            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
>              return 0;
>          }
>      } while ((len <= 0) && (++num_blank_lines < max_blank_lines));
> 
> 
> 

Don't we need to have the following in addition to avoid a crash in another path?


Index: protocol.c
===================================================================
--- protocol.c  (revision 1664261)
+++ protocol.c  (working copy)
@@ -674,6 +674,8 @@
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02418)
                           "Invalid protocol '%s'", r->protocol);
             if (enforce_strict) {
+                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
+                r->proto_num = HTTP_VERSION(1,0);
                 r->status = HTTP_BAD_REQUEST;
                 return 0;
             }



Regards

RĂ¼diger

Mime
View raw message