httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rashmi Srinivasan <rashmisrinivasan2...@gmail.com>
Subject Re: [users@httpd] HTTPProtoco Options Apache 2.2
Date Wed, 14 Jun 2017 05:01:45 GMT
Thanks Eric, Please ignore my previous message.
http://svn.apache.org/viewvc?view=revision&revision=1783440

Porting from above, httpprotocoloptions works as expected.

Thanks,
Rashmi

On Wed, Jun 14, 2017 at 9:25 AM, Rashmi Srinivasan <
rashmisrinivasan2007@gmail.com> wrote:

> Thanks for your response Eric.
> Porting the changes from http://svn.apache.org/vie
> wvc?view=revision&revision=1783440 also didn't help.
>
> However making a single change as bellow, got the Unsafe option to work.
>
> conf = (core_server_config *)apr_pmemdup(p, virt, sizeof(core_server_config));
>
> to
>
> conf = (core_server_config *)apr_pmemdup(p, base, sizeof(core_server_config));
>
> Also, when both the changes exist, the Unsafe option doesn't seem to work
>
>
> IS this change valid? Should we commit this to 2.2? or is Unsafe option suppose to report
with a "BAD Request" response.
>
> Please advise.
>
>
> regards,
> Rashmi
>
>
>
>
>
> On Tue, Jun 13, 2017 at 11:56 PM, Eric Covener <covener@gmail.com> wrote:
>
>> http://svn.apache.org/viewvc?view=revision&revision=1783440
>>
>>
>> On Tue, Jun 13, 2017 at 2:19 PM, Rashmi Srinivasan
>> <rashmisrinivasan2007@gmail.com> wrote:
>> > Hi Yann/Eric.
>> > -        We have ported the changes for CVE -2016-8743. into apache 2.2
>> on
>> > HP-UX
>> >            But while testing we find that HTTPProtocolOption Unsafe
>> tested
>> > with GET /HTTP 1.0/\n\n responds with BAD Request, when it is suppose to
>> > succeed.
>> >
>> >            However after making changes as mentioned in
>> >            https://bz.apache.org/bugzilla/show_bug.cgi?id=60704, Unsafe
>> > option responds with a success.
>> >
>> > Is the below change valid for 2.2?
>> >
>> > in 2.2.32:
>> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
>> > *virtv)
>> > {
>> >     core_server_config *base = (core_server_config *)basev;
>> >     core_server_config *virt = (core_server_config *)virtv;
>> >     core_server_config *conf;
>> >
>> >     conf = (core_server_config *)apr_pmemdup(p, base,
>> > sizeof(core_server_config));
>> >
>> > in 2.4.25:
>> > static void *merge_core_server_configs(apr_pool_t *p, void *basev, void
>> > *virtv)
>> > {
>> >     core_server_config *base = (core_server_config *)basev;
>> >     core_server_config *virt = (core_server_config *)virtv;
>> >     core_server_config *conf = (core_server_config *)
>> >                                apr_pmemdup(p, base,
>> > sizeof(core_server_config));
>> >
>> >
>> > Please advise.
>> >
>> > Thanks
>> > Rashmi
>>
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message