From: Sander Striker Date: Sun, 26 Oct 2003 23:25:44 +0000 (+0000) Subject: Forward port from 2.0: X-Git-Tag: pre_ajp_proxy~1097 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e4547ab87e700e501ca9434aaed462db4140a1b;p=thirdparty%2Fapache%2Fhttpd.git Forward port from 2.0: SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. Submitted by: Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101570 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6017250e039..b3d6b8a0f6d 100644 --- a/CHANGES +++ b/CHANGES @@ -210,6 +210,10 @@ Changes with Apache 2.1.0-dev Changes with Apache 2.0.48 + *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of + the AF_UNIX socket used to communicate with the cgid daemon and + the CGI script. [Jeff Trawick] + *) SECURITY: CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index a174e5d7b7e..c37e86fee1e 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -1355,11 +1355,13 @@ static int cgid_handler(request_rec *r) cleanup_script, apr_pool_cleanup_null); /* We are putting the socket discriptor into an apr_file_t so that we can - * use a pipe bucket to send the data to the client. - * Note that this does not register a cleanup for the socket. We did - * that explicitly right after we created the socket. + * use a pipe bucket to send the data to the client. APR will create + * a cleanup for the apr_file_t which will close the socket, so we'll + * get rid of the cleanup we registered when we created the socket. */ - apr_os_pipe_put(&tempsock, &sd, r->pool); + + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket); if ((argv0 = strrchr(r->filename, '/')) != NULL) argv0++; @@ -1492,24 +1494,12 @@ static int cgid_handler(request_rec *r) return HTTP_MOVED_TEMPORARILY; } - /* Passing our socket down the filter chain in a pipe bucket - * gives up the responsibility of closing the socket, so - * get rid of the cleanup. - */ - apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket); - ap_pass_brigade(r->output_filters, bb); } if (nph) { struct ap_filter_t *cur; - /* Passing our socket down the filter chain in a pipe bucket - * gives up the responsibility of closing the socket, so - * get rid of the cleanup. - */ - apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket); - /* get rid of all filters up through protocol... since we * haven't parsed off the headers, there is no way they can * work @@ -1658,16 +1648,11 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, apr_pool_cleanup_null); /* We are putting the socket discriptor into an apr_file_t so that we can - * use a pipe bucket to send the data to the client. - * Note that this does not register a cleanup for the socket. We did - * that explicitly right after we created the socket. - */ - apr_os_pipe_put(&tempsock, &sd, r->pool); - - /* Passing our socket down the filter chain in a pipe bucket - * gives up the responsibility of closing the socket, so - * get rid of the cleanup. + * use a pipe bucket to send the data to the client. APR will create + * a cleanup for the apr_file_t which will close the socket, so we'll + * get rid of the cleanup we registered when we created the socket. */ + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); apr_pool_cleanup_kill(r->pool, (void *)sd, close_unix_socket); APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,