SECURITY: Eliminated leaks of several file descriptors to child

processes, such as CGI scripts.

PR: 17206
Submitted by:	Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>
Reviewed by:	Joe Orton, Will Rowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@99033 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9f38a2d89c9bf9890fb43f46f8acfa5afaf7616b..689171827100ccae78dd215ade2dd5984d7edf61 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,11 @@
 Changes with Apache 2.0.45
 
+  *) SECURITY:  Eliminated leaks of several file descriptors to child
+     processes, such as CGI scripts.  This fix depends on the latest
+     APR library release 0.9.2, which is distributed with the httpd 
+     source tarball for Apache 2.0.45.  PR 17206
+     [Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>]
+
   *) Prevent endless loops of internal redirects in mod_rewrite by
      aborting after exceeding a limit of internal redirects. The
      limit defaults to 10 and can be changed using the RewriteOptions

diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c
index 08a3585e1b4426e524b2087ca2d7be0132522f43..6e6efff47cf93b4f6aed2e9175e5af951a06a7ed 100644 (file)
--- a/modules/loggers/mod_log_config.c
+++ b/modules/loggers/mod_log_config.c
@@ -1285,7 +1285,6 @@ static void *ap_default_log_writer_init(apr_pool_t *p, server_rec *s,
                             "could not open transfer log file %s.", fname);
             return NULL;
         }
-        apr_file_inherit_set(fd);
         return fd;
     }
 }

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index e3622696d8583dc19e37ba22ececd145da4ff815..866ba70f84bc3e5c081c9bf816d570d61f13c3a5 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -3321,7 +3321,6 @@ static void open_rewritelog(server_rec *s, apr_pool_t *p)
                          "file %s", fname);
             exit(1);
         }
-        apr_file_inherit_set(conf->rewritelogfp);
     }
     return;
 }

diff --git a/server/log.c b/server/log.c
index ec7c44acfd85d72f9d05c11c7a6f255e486e1924..95ab4aa2e8edda408f041616cc88362754594ac6 100644 (file)
--- a/server/log.c
+++ b/server/log.c
@@ -320,8 +320,6 @@ static int open_error_log(server_rec *s, apr_pool_t *p)
                          ap_server_argv0, fname);
             return DONE;
         }
-
-        apr_file_inherit_set(s->error_log);
     }
 
     return OK;

diff --git a/server/mpm/worker/pod.c b/server/mpm/worker/pod.c
index e568d229f040f8e81ae87d57192d4cc549aa18f3..072777c9c7887e6c2b4c30dc54d7126e2b3a27c7 100644 (file)
--- a/server/mpm/worker/pod.c
+++ b/server/mpm/worker/pod.c
@@ -76,6 +76,10 @@ AP_DECLARE(apr_status_t) ap_mpm_pod_open(apr_pool_t *p, ap_pod_t **pod)
 */
     (*pod)->p = p;
     
+    /* close these before exec. */
+    apr_file_unset_inherit((*pod)->pod_in);
+    apr_file_unset_inherit((*pod)->pod_out);
+
     return APR_SUCCESS;
 }
 

diff --git a/server/mpm_common.c b/server/mpm_common.c
index 4a3a1d562ed3e476b0dceee628d4fd344bb9da41..f2c08e6d9c652456af5c1295f1dd258544fcf280 100644 (file)
--- a/server/mpm_common.c
+++ b/server/mpm_common.c
@@ -410,6 +410,10 @@ AP_DECLARE(apr_status_t) ap_mpm_pod_open(apr_pool_t *p, ap_pod_t **pod)
     apr_sockaddr_info_get(&(*pod)->sa, ap_listeners->bind_addr->hostname,
                           APR_UNSPEC, ap_listeners->bind_addr->port, 0, p);
 
+    /* close these before exec. */
+    apr_file_unset_inherit((*pod)->pod_in);
+    apr_file_unset_inherit((*pod)->pod_out);
+
     return APR_SUCCESS;
 }