*) SECURITY: CVE-2014-0231 (cve.mitre.org)

   mod_cgid: Fix a denial of service against CGI scripts that do
   not consume stdin that could lead to lingering HTTPD child processes
   filling up the scoreboard and eventually hanging the server.
   [Rainer Jung, Eric Covener, Yann Ylavic]

Submitted By: rjung, covener, ylavic
Reviewed By: trawick, jorton, covener, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610509 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index ee1f243d4b4de55e7e9071768d5b009563085419..fd3a2dbfa51dd77e0689040e31701c779efb8014 100644 (file)
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -1551,6 +1551,10 @@ static int cgid_handler(request_rec *r)
             if (rv != APR_SUCCESS) {
                 /* silly script stopped reading, soak up remaining message */
                 child_stopped_reading = 1;
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, 
+                              "Error writing request body to script %s", 
+                              r->filename);
+
             }
         }
         apr_brigade_cleanup(bb);
@@ -1781,6 +1785,8 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
     request_rec *r = f->r;
     cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
                                                   &cgid_module);
+    cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
+
     struct cleanup_script_info *info;
 
     add_ssi_vars(r);
@@ -1810,6 +1816,13 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f,
      * get rid of the cleanup we registered when we created the socket.
      */
     apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
+    if (dc->timeout > 0) {
+        apr_file_pipe_timeout_set(tempsock, dc->timeout);
+    }
+    else {
+        apr_file_pipe_timeout_set(tempsock, r->server->timeout);
+    }
+
     apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
 
     APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,