From a30c26ca9d22f6482465de7adc4b045519127cfc Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 14 Jul 2014 20:08:25 +0000 Subject: [PATCH] *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. [Rainer Jung, Eric Covener, Yann Ylavic] Submitted By: rjung, covener, ylavic Reviewed By: trawick, jorton, covener, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610509 13f79535-47bb-0310-9956-ffa450edef68 --- modules/generators/mod_cgid.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index ee1f243d4b4..fd3a2dbfa51 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -1551,6 +1551,10 @@ static int cgid_handler(request_rec *r) if (rv != APR_SUCCESS) { /* silly script stopped reading, soak up remaining message */ child_stopped_reading = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "Error writing request body to script %s", + r->filename); + } } apr_brigade_cleanup(bb); @@ -1781,6 +1785,8 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, request_rec *r = f->r; cgid_server_conf *conf = ap_get_module_config(r->server->module_config, &cgid_module); + cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); + struct cleanup_script_info *info; add_ssi_vars(r); @@ -1810,6 +1816,13 @@ static int include_cmd(include_ctx_t *ctx, ap_filter_t *f, * get rid of the cleanup we registered when we created the socket. */ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); + if (dc->timeout > 0) { + apr_file_pipe_timeout_set(tempsock, dc->timeout); + } + else { + apr_file_pipe_timeout_set(tempsock, r->server->timeout); + } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, -- 2.47.3