Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CB5421044C for ; Thu, 5 Mar 2015 08:38:17 +0000 (UTC) Received: (qmail 45722 invoked by uid 500); 5 Mar 2015 08:38:17 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 45651 invoked by uid 500); 5 Mar 2015 08:38:17 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 45641 invoked by uid 99); 5 Mar 2015 08:38:17 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Mar 2015 08:38:17 +0000 Received: from gauss.localdomain (v4-861347e2.pool.vitroconnect.de [134.19.71.226]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 0DAE41A01E0 for ; Thu, 5 Mar 2015 08:38:16 +0000 (UTC) Received: from [IPv6:::1] (localhost [IPv6:::1]) by gauss.localdomain (Postfix) with ESMTP id 9F27D7E9 for ; Thu, 5 Mar 2015 09:38:16 +0100 (CET) Message-ID: <54F815F8.4000404@apache.org> Date: Thu, 05 Mar 2015 09:38:16 +0100 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32.1 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r1664205 - in /httpd/httpd/trunk: CHANGES server/protocol.c References: <20150305023317.1CE53AC0044@hades.apache.org> In-Reply-To: <20150305023317.1CE53AC0044@hades.apache.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 03/05/2015 03:33 AM, covener@apache.org wrote: > Author: covener > Date: Thu Mar 5 02:33:16 2015 > New Revision: 1664205 > > URL: http://svn.apache.org/r1664205 > Log: > *) SECURITY: CVE-2015-0253 (cve.mitre.org) > core: Fix a crash introduced in with ErrorDocument 400 pointing > to a local URL-path with the INCLUDES filter active, introduced > in 2.4.11. PR 57531. [Yann Ylavic] > > > Submitted By: ylavic > Committed By: covener > > > > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/server/protocol.c > > Modified: httpd/httpd/trunk/server/protocol.c > URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1664205&r1=1664204&r2=1664205&view=diff > ============================================================================== > --- httpd/httpd/trunk/server/protocol.c (original) > +++ httpd/httpd/trunk/server/protocol.c Thu Mar 5 02:33:16 2015 > @@ -606,8 +606,6 @@ static int read_request_line(request_rec > */ > if (APR_STATUS_IS_ENOSPC(rv)) { > r->status = HTTP_REQUEST_URI_TOO_LARGE; > - r->proto_num = HTTP_VERSION(1,0); > - r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); > } > else if (APR_STATUS_IS_TIMEUP(rv)) { > r->status = HTTP_REQUEST_TIME_OUT; > @@ -615,6 +613,8 @@ static int read_request_line(request_rec > else if (APR_STATUS_IS_EINVAL(rv)) { > r->status = HTTP_BAD_REQUEST; > } > + r->proto_num = HTTP_VERSION(1,0); > + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); > return 0; > } > } while ((len <= 0) && (++num_blank_lines < max_blank_lines)); > > > Don't we need to have the following in addition to avoid a crash in another path? Index: protocol.c =================================================================== --- protocol.c (revision 1664261) +++ protocol.c (working copy) @@ -674,6 +674,8 @@ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02418) "Invalid protocol '%s'", r->protocol); if (enforce_strict) { + r->protocol = apr_pstrdup(r->pool, "HTTP/1.0"); + r->proto_num = HTTP_VERSION(1,0); r->status = HTTP_BAD_REQUEST; return 0; } Regards RĂ¼diger